Responsible Disclosure
How to report security vulnerabilities.
“Found a security vulnerability? Email info@misanpaige.com privately. Give us 90 days to fix it. We will not take legal action against good-faith researchers.”
Our Commitment
MisanpAIge welcomes reports from security researchers, academics, and users who discover potential vulnerabilities. We are committed to:
- Acknowledging receipt within 3 business days.
- Keeping you informed throughout the investigation.
- Resolving confirmed vulnerabilities as quickly as possible.
- Not pursuing legal action against researchers who act in good faith.
Scope
The following are in scope:
- misanpaige.com and all subdomains.
- Authentication system — login, registration, session management, password reset.
- API integrations — client-side Anthropic API logic and Supabase interactions.
- User data handling — any issue exposing, modifying, or destroying user account data.
- Payment flow — Stripe integration and credit/subscription logic.
Out of Scope
The following are not in scope:
- Vulnerabilities in third-party services (Anthropic, Supabase, Stripe, Cloudflare) — report these directly to them.
- Social engineering attacks targeting staff or users.
- Denial of service (DoS/DDoS) testing.
- Automated scanner output without evidence of a real vulnerability.
- Issues requiring physical device access.
- Missing HTTP headers without demonstrated concrete impact.
Do not access, modify, or delete data that does not belong to you. Use your own test accounts only for any proof of concept.
How to Report
Send your report to:
- Email: info@misanpaige.com
- Subject line: "Security Vulnerability Report"
Please do not report security vulnerabilities through public channels, social media, or forums.
What to Include
To help us triage and reproduce quickly:
- A clear description of the vulnerability and potential impact.
- The affected URL(s), endpoint(s), or component(s).
- Step-by-step reproduction instructions.
- Any proof-of-concept code, screenshots, or recordings (test accounts only).
- Your severity assessment: Critical / High / Medium / Low / Informational.
- Your name or alias and preferred contact method.
Response Process
- Day 1–3: Acknowledge receipt and assign an internal tracking reference.
- Day 3–10: Initial triage — confirm reproducibility and scope.
- Day 10–30: Investigate root cause and develop a fix.
- Day 30–90: Deploy fix and notify you.
- After fix: Coordinate public disclosure timing with you.
We ask for a 90-day coordinated disclosure period from acknowledgement before public disclosure.
Safe Harbour
MisanpAIge will not pursue civil or criminal action against researchers who:
- Report in good faith through this policy.
- Avoid privacy violations, service disruption, and data destruction.
- Do not exploit a vulnerability beyond what is necessary to demonstrate it.
- Do not access data beyond their own test accounts.
- Allow reasonable time to remediate before public disclosure.
We consider activities conducted in good faith and in accordance with this policy to be authorised access for the purposes of applicable computer crime law.
Recognition
We value security research and recognise good-faith disclosures with:
- A personal acknowledgement from the MisanpAIge team.
- Public credit in our security hall of fame (with your permission).
- A complimentary credit package for confirmed vulnerabilities of Medium severity or higher.
No Bug Bounty Programme
MisanpAIge does not currently operate a formal paid bug bounty programme. Any rewards are at our sole discretion. We hope to launch a formal programme in the future.