Security / Responsible Disclosure
Security & Responsible Disclosure
If you find a security issue, please report it privately so we can investigate and fix it quickly.
How to report
security@arckeep.net
Please include the URL, steps to reproduce, screenshots, timestamps, and impact you believe the issue could have.
Expected response
Acknowledgement target
3 business days
Reward policy
We do not currently run a public bug bounty, but we appreciate responsible disclosure.
Safe harbor
If you act in good faith, avoid privacy violations and disruption, and give us reasonable time to respond, we will treat your research as authorized under this disclosure policy.
In scope
In scope: authentication, authorization, sensitive data exposure, account takeover, payment/billing issues, file access, privilege escalation, API key exposure, and any vulnerability that could materially affect users or data.
Out of scope
Out of scope: spam, DDoS, social engineering, physical attacks, clickjacking-only reports without impact, best-practice-only suggestions, and issues that require compromising user devices or third-party services we do not control.
Testing rules
Do not access other users' content, exfiltrate data, destroy data, or intentionally degrade service. Keep testing to the minimum necessary to demonstrate the issue.