← Mycelium

Security & disclosure

Last updated: 2026-05-03

Mycelium runs a coordinated disclosure program. Researchers who report vulnerabilities in good faith and in line with the rules below will be acknowledged in our public CHANGELOG and credited in any related security advisory.

1. Reporting

Send vulnerability reports to adelaida@diazroa.com. Encrypted submissions are welcome; PGP key fingerprint available on request.

Please include:

  • A clear, reproducible description of the issue
  • The affected URL, endpoint, version, or component
  • Proof-of-concept output or steps that demonstrate the impact
  • Your preferred name for credit (or a request to remain anonymous)

2. Response timeline

  • Acknowledgement within one business day
  • Initial triage and severity assessment within five business days
  • Remediation plan and target date within fifteen business days
  • Public disclosure window: ninety days from initial report, or sooner if a fix has shipped and the customer base has been notified, whichever comes first

3. Scope

In scope:

  • myceliumai.co and all subdomains operated by Mycelium
  • The open-source memory layer at github.com/adelaidasofia/ai-brain-starter
  • The productized runtime endpoints exposed to customers under engagement letter (subject to Section 4)

Out of scope:

  • Third-party services (Vercel infrastructure, Resend, PostHog, Anthropic, OpenAI, etc.). Please report to the vendor directly.
  • Social engineering of Mycelium employees, contractors, or pilot customers
  • Physical attacks on Mycelium offices or hardware
  • Denial-of-service or rate-limit testing without prior written authorization

4. Safe harbor

Research conducted in line with this policy is considered authorized and Mycelium will not pursue civil action or report it to law enforcement. Researchers must avoid accessing or modifying customer data, must stop testing immediately on request, and must give Mycelium reasonable time to remediate before public disclosure.

5. Recognition

Researchers who follow this policy and submit valid vulnerability reports are acknowledged in the public CHANGELOG and (with the researcher’s consent) in any published security advisory. Cash bounties are not currently offered; we expect to launch a paid program after the SOC 2 Type II audit completes.

6. Privacy & data subject inquiries

For privacy questions or data-subject requests under GDPR, UK GDPR, CCPA, or LGPD, write to adelaida@diazroa.com.

Mycelium · founded 2026