Coordinated Vulnerability Disclosure Policy

Last updated: 2026-04-17

Artifio.ai welcomes security research. This page is the canonical destination for the Policy: field in our security.txt. It explains how to report issues, what we promise in return, and the boundaries of testing we authorise.

How to report

Email: security@artifio.ai
Subject line: [disclosure] <one-line summary>
Acknowledgement: within 2 business days.
Triage decision: within 10 business days.

Please include in your initial report:

A concise description of the vulnerability and its impact.
Exact URL(s), parameter(s), and HTTP method(s) involved.
Step-by-step reproduction instructions (curl or HAR file preferred).
Earliest date / version where the issue is reproducible (if known).
Your contact and any preferred handle for attribution (anonymous is fine).

What we commit to

Acknowledge receipt within 2 business days.
Triage with a severity decision within 10 business days.
Patch Critical / High issues within 30 days, Medium within 90 days, Low within 180 days, measured from confirmation.
No legal action against good-faith researchers who follow this policy. We will not pursue claims under the CFAA, Computer Misuse Act, or comparable statutes for activity that matches the in-scope rules below.
Public attribution in the next quarterly security note (or anonymous if you prefer).
Coordinated disclosure within 90 days of confirmed report, or 30 days after a fix ships, whichever is earlier.

Scope

In scope

Production app: artifio.ai, *.artifio.ai.
Public APIs under /api/, including catalog, generation, polling, webhook, and admin surfaces (the latter only as far as you can probe without privileged credentials).
React client bundles served from these origins.
CI/CD supply-chain configuration in .github/workflows/ (vulnerability research only — sabotage is not authorised).

Out of scope (do not test)

Third-party services we depend on (Clerk, Stripe, Dodo, Cloudflare, Neon, Upstash,Sentry, Resend, Kie.ai, Runware, OpenAI, Anthropic, Shotstack, JSON2Video, Pixabay, Browserless, ElevenLabs, PostHog). Report those issues directly to the vendor.
Denial of service, resource exhaustion, application-layer flooding, brute forcing of credentials. Use restraint; if you need to demonstrate a rate-limit bypass, stop after a single proof and email us.
Any test that destroys, modifies, or exfiltrates customer data. Target an account you control or one we provision for the test on request.
Social engineering of staff, customers, or contractors.
Physical attacks against datacenters or offices.
Attacks requiring already-compromised credentials issued via password reuse.
Lighthouse / Core Web Vitals / SEO regressions (handled outside this pipeline).

Specifically welcome (high-signal targets)

AuthN / AuthZ bypass on /api/admin/**, /api/db/rpc, /api/functions/**, or /api/generate.
Server-side request forgery (SSRF) bypasses against our safeFetch allowlist.
SQL injection, NoSQL injection, command injection.
Cross-site scripting (reflected or stored), particularly via prompt content, model schemas, or user-uploaded media metadata.
Webhook signature bypass for Clerk, Stripe, Dodo, QStash, Kie.ai, Runware, JSON2Video, provider callback.
Rate-limit bypass on /api/generate, /api/db/rpc, or /api/functions/[name].
Wallet / billing logic flaws (forced refunds, double-spend, free generations).
CORS / CSRF flaws against our origin allowlist.
Information disclosure of unpublished blog posts, deactivated models, or draft model pages.
Sourcemap or sensitive identifier leakage in client bundles.

Safe harbour

Researchers acting in good faith and within this policy are authorised under our CFAA safe harbour. Provided you (1) limit testing to in-scope assets, (2) make a reasonable effort to avoid privacy violations and service disruption, (3) stop testing immediately if you encounter sensitive data and report it, and (4) do not publicly disclose the issue before we have agreed timing — we will treat your work as authorised access and will not pursue legal action.

Bounty status

We do not currently run a paid bug-bounty program. We will publicly acknowledge researchers (with permission) and we evaluate higher-severity reports for discretionary thanks (swag, public note, occasionally cash). Always describe the issue first; do not lead with a payment request.

Hall of fame

Empty as of 2026-04-17. The first responsibly-disclosed High or Critical will be acknowledged here with the researcher's permission.

Contact

security@artifio.ai. If you do not hear back within 2 business days, escalate by emailing the same address with subject prefix [disclosure-followup].

How to report

Email: security@artifio.ai

Subject line: [disclosure] <one-line summary>

Acknowledgement: within 2 business days.

Triage decision: within 10 business days.

Please include in your initial report:

A concise description of the vulnerability and its impact.

Exact URL(s), parameter(s), and HTTP method(s) involved.

Step-by-step reproduction instructions (curl or HAR file preferred).

Earliest date / version where the issue is reproducible (if known).

Your contact and any preferred handle for attribution (anonymous is fine).

What we commit to

Acknowledge receipt within 2 business days.

Triage with a severity decision within 10 business days.

Patch Critical / High issues within 30 days, Medium within 90 days, Low within 180 days, measured from confirmation.

No legal action against good-faith researchers who follow this policy. We will not pursue claims under the CFAA, Computer Misuse Act, or comparable statutes for activity that matches the in-scope rules below.

Public attribution in the next quarterly security note (or anonymous if you prefer).

Coordinated disclosure within 90 days of confirmed report, or 30 days after a fix ships, whichever is earlier.

Scope

In scope

Production app: artifio.ai, *.artifio.ai.

Public APIs under /api/, including catalog, generation, polling, webhook, and admin surfaces (the latter only as far as you can probe without privileged credentials).

React client bundles served from these origins.

CI/CD supply-chain configuration in .github/workflows/ (vulnerability research only — sabotage is not authorised).

Out of scope (do not test)

Third-party services we depend on (Clerk, Stripe, Dodo, Cloudflare, Neon, Upstash,Sentry, Resend, Kie.ai, Runware, OpenAI, Anthropic, Shotstack, JSON2Video, Pixabay, Browserless, ElevenLabs, PostHog). Report those issues directly to the vendor.

Denial of service, resource exhaustion, application-layer flooding, brute forcing of credentials. Use restraint; if you need to demonstrate a rate-limit bypass, stop after a single proof and email us.

Any test that destroys, modifies, or exfiltrates customer data. Target an account you control or one we provision for the test on request.

Social engineering of staff, customers, or contractors.

Physical attacks against datacenters or offices.

Attacks requiring already-compromised credentials issued via password reuse.

Lighthouse / Core Web Vitals / SEO regressions (handled outside this pipeline).

Specifically welcome (high-signal targets)

AuthN / AuthZ bypass on /api/admin/**, /api/db/rpc, /api/functions/**, or /api/generate.

Server-side request forgery (SSRF) bypasses against our safeFetch allowlist.

SQL injection, NoSQL injection, command injection.

Cross-site scripting (reflected or stored), particularly via prompt content, model schemas, or user-uploaded media metadata.

Webhook signature bypass for Clerk, Stripe, Dodo, QStash, Kie.ai, Runware, JSON2Video, provider callback.

Rate-limit bypass on /api/generate, /api/db/rpc, or /api/functions/[name].

Wallet / billing logic flaws (forced refunds, double-spend, free generations).

CORS / CSRF flaws against our origin allowlist.

Information disclosure of unpublished blog posts, deactivated models, or draft model pages.

Sourcemap or sensitive identifier leakage in client bundles.

Safe harbour