Security - Elo

Secure by Design

Elo is built for a specific use case: letting people write small programs that run somewhere they don't control. Think of a spreadsheet formula, but more powerful. You write it, someone else's computer runs it.

This happens all the time in No-Code tools, automation platforms (like Zapier or Make), and data pipelines. Users need to express logic—"if this date is past, send a reminder"—without having access to the full power (and danger) of a real programming language.

That's why Elo is designed as a pure expression language. It's like a calculator: you give it some numbers and formulas, it gives you a result. Nothing more.

What Elo Cannot Do

We keep Elo safe by being very strict about what it cannot do:

No infinite loops. Every Elo expression finishes. No recursion, no while loops, no regular expressions that could hang.
No eval. You can't construct code at runtime and execute it. What you see is what runs.
No I/O. Elo can't read files, make web requests, or access databases. It only works with the data you give it.
No host access. Elo can't touch window in JavaScript, environment variables, or any globals. It's sandboxed.

The environment running Elo is responsible for providing data (through the _ input variable) and deciding what to do with the result.

Bug Bounty Program

Found a security issue? We want to hear from you. We offer rewards for valid security vulnerabilities:

50€

Medium Severity

100€

High Severity

2×

If you provide a fix

Rules

Demonstrate the issue with a valid .elo program
Explain the target environment where the vulnerability occurs
Provide identifying information for payment (no anonymous submissions)
Keep issues private for 90 days while we work on a fix

We may reject submissions that don't meet our criteria. Final severity is assessed by our team.

Contact

Send security reports to security@enspirit.dev