AtlasWork, planned itself.

The AI-native, all-in-one work platform. Tasks, projects, CRM, contracts, and analytics in one calm workspace.

  • SOC 2 II
  • ISO 27001
  • HIPAA
  • GDPR

Product

  • Overview
  • PDF tools
  • People & HR
  • Integrations
  • Marketplace
  • Pricing

Resources

  • Guides
  • Docs
  • API reference
  • Support
  • Changelog
  • Status

Company

  • About
  • Careers
  • Press
  • Contact

Legal & trust

  • Trust center
  • Security
  • Privacy
  • Terms
  • DPA
  • GDPR
  • SLA
  • Refunds
Atlas, a product by wrxstack.com·© 2026 wrxstack·All rights reserved
Made in India

Coordinated disclosure

Bug bounty and vulnerability disclosure

Help keep Atlas Task Manager safe. We welcome good-faith security research when it avoids privacy harm, service disruption, and data destruction.

How to report

Email security@wrxstack.com with a concise proof of concept, affected URLs, reproduction steps, impact, and any account or workspace ids used for testing. For encrypted disclosure, use the published coordination notice at https://atlas.wrxstack.com/.well-known/pgp-key.txt.

In scope

  • Authentication, session handling, and authorization bypasses.
  • Cross-tenant data exposure across workspaces, projects, tasks, files, comments, or audit logs.
  • Stored or reflected XSS that can affect another user.
  • Server-side request forgery, remote code execution, or privilege escalation.
  • Sensitive data exposure in public routes, logs, exports, webhooks, or integration callbacks.

Out of scope

  • Denial-of-service testing or resource exhaustion.
  • Automated scanner output without a working proof of impact.
  • Social engineering, phishing, spam, or physical attacks.
  • Reports against third-party services unless they directly expose Atlas customer data.
  • Missing headers without an exploitable security impact.

Safe harbor

We will not pursue legal action for research that follows this policy, avoids accessing or modifying data that is not yours, stops testing as soon as impact is proven, and gives us a reasonable window to fix the issue before public disclosure.

We acknowledge valid reports within three business days and prioritize remediation by severity. Reward decisions are discretionary until a formal paid bounty pool is announced.

Full security program overview: Security and Security & Disclosure.