Security is a top priority at Carbonfact. Our Vulnerability Disclosure Program (VDP) gives researchers a safe, formal channel to report issues so we can keep the platform secure and reliable for the companies who depend on it.
This section lists assets that are the primary scope for the VDP. For assets that are not mentioned in this scope, you’re invited to send a report if you believe the identified vulnerability represent a significant risk for Carbonfact.
Applications that are developed by Carbonfact and hosted on our infrastructure (GCP, Auth0, Cloudflare, Vercel) are our primary scope. In particular, applications deployed on the following domains:
ai-core.carbonfact.comapi.carbonfact.comauth.carbonfact.combenchmark.carbonfact.complatform.carbonfact.comstaging.api.carbonfact.comstaging.platform.carbonfact.compublic.carbonfact.comsuppliers.carbonfact.comTo avoid disruption to users, employees, and partners, these are out of scope: