Responsible Disclosure

This policy covers the public surface of MisanpAIge:

• misanpaige.com and its subdomains
• The web app at app.misanpaige.com (when launched)
• Public Supabase Edge Functions used by the platform

Out of scope: third-party services (Anthropic, Stripe, Supabase) — report to those providers directly.

Email info@misanpaige.com with the subject line [SECURITY]. Include:

• A clear description of the vulnerability
• Steps to reproduce (with a proof of concept if possible)
• Potential impact
• Your contact information

• Give us reasonable time (at least 90 days) to fix before public disclosure
• Do not access, modify, or delete data belonging to other users
• Do not perform denial-of-service testing
• Stay within the scope above

If you follow this policy in good faith, we will not pursue legal action against you for actions taken during your research. We do not currently offer monetary bounties but credit researchers in our changelog with their permission.

• Acknowledgement: within 3 business days
• Initial assessment: within 14 days
• Fix: within 90 days, depending on severity
• Public disclosure: coordinated with you