0
Findings currently under vendor coordinationRESEARCH · VULNERABILITY DISCLOSURES← BACK TO RESEARCH
Vulnerability Disclosures
Public log of AI security vulnerabilities discovered by LogicLeak researchers — disclosed coordinately, documented fully, and never weaponized.
Vulnerability Disclosures is the public record of security findings LogicLeak has reported in third-party AI products, frameworks, and infrastructure. Each disclosure follows our coordinated-disclosure policy. The page is updated as findings complete their coordination window — it is not a feed of every finding ever made, but a log of those that have completed responsible disclosure.
// CURRENT PUBLIC DISCLOSURES
Findings that have completed coordinated disclosureNo disclosures have completed coordination yet. LogicLeak's disclosure pipeline is open and in active use — first public disclosures expected Q3 2026 as 90–120 day coordination windows mature.
Last status: MAY 2026 · 0 public disclosures · 0 in active coordination// DISCLOSURE POLICY
How LogicLeak handles security findings in third-party systems01
90-day default coordination window.
When LogicLeak discovers a vulnerability in a third-party AI product, framework, or service, we initiate coordinated disclosure with the affected vendor. Default window is 90 days from initial vendor notification to public disclosure.
02
Extensions for complex systemic issues.
Where remediation requires architectural changes, vendor coordination with downstream consumers, or industry-wide coordination, we extend the window to 120 days. Beyond 120 days, we publicly disclose regardless, with appropriate warnings to the vendor.
03
No leveraged or sold findings.
LogicLeak does not sell vulnerability findings, license them to private buyers, or use them as leverage in business development. Findings discovered in third-party products are disclosed only — never weaponized, never traded.
04
Public-interest exceptions.
Where a vulnerability is being actively exploited in the wild, or where the affected vendor is unresponsive, or where continuing to withhold the disclosure creates greater harm than publishing, we may disclose before the standard window closes. Such exceptions are documented in the disclosure itself.
05
Researcher credit.
Each disclosure credits the LogicLeak researchers who discovered the finding, unless the researcher requests anonymity. We do not claim collective credit when individual attribution is appropriate.
06
Reproduction guidance with restraint.
Disclosures include enough reproduction detail for affected parties to verify the fix and for security teams to detect attempted exploitation. We do not publish weaponizable proof-of-concept code at disclosure time; we publish it after sufficient remediation deployment.
// IN ACTIVE COORDINATION
Aggregate status of findings under coordinated disclosure0
Cumulative since program launch—
Will populate after first completed disclosureJAN 2026
Disclosure program operationalLogicLeak does not publish findings or vendor names while coordination is in progress. The aggregate counts above will update as findings move from active coordination to public disclosure.
// REPORT A VULNERABILITY IN LOGICLEAK SYSTEMS
For security researchers reporting findings in OUR systemsIf you've discovered a security issue in LogicLeak's tools, website, or infrastructure, we want to know. We follow the same coordinated-disclosure practices on our own systems that we apply to third-party findings.
// EXPECTED RESPONSE
< 48 hours
Acknowledgement; remediation timeline within 7 daysResearchers reporting LogicLeak vulnerabilities are credited in published disclosures (with consent), referenced in hiring conversations where appropriate, and acknowledged publicly in this stream when remediation completes. We do not currently offer monetary bounty.
Disclosure program operational since January 2026. First public disclosures expected Q3 2026.
SUBMIT A SECURITY REPORT →