Security

1. Reporting Security Issues

Send security reports to [email protected] with the subject line "Security report".

Please include the affected URL or feature, the steps needed to reproduce the issue, the expected impact, and any safe proof of concept. Do not include secrets, access tokens, private user content, payment data, or personal information that is not yours.

2. Research Rules

Only test with accounts, images, prompts, and data that you own or are explicitly authorized to use. Stop testing and contact us immediately if you encounter another user's data, private media, credentials, or other sensitive information.

Do not access, modify, delete, download, or disclose data that is not yours. Do not perform denial-of-service testing, spam, phishing, social engineering, physical attacks, extortion, or high-volume automated scanning.

Give us a reasonable time to investigate and address the report before any public disclosure.

3. Scope

In-scope reports cover vulnerabilities in the public Soulmine service at soulmine.app that could affect user accounts, uploaded images, generated content, credits, payments, authentication, authorization, or production infrastructure.

Out-of-scope reports include missing best-practice headers without a practical exploit, clickjacking on pages that do not perform sensitive actions, rate limits without a demonstrated security impact, scanner-only findings without verification, and issues in third-party services outside our control.

4. Response

We aim to acknowledge security reports within seven days. Follow-up timing depends on severity, reproducibility, and whether third-party providers are involved.

Soulmine does not currently run a paid bug bounty. Reports are appreciated, but submitting one does not entitle you to compensation.

5. Automated Discovery