---
title: Security and Responsible Disclosure
description: How to report Edgaze security issues and the boundaries for good-faith vulnerability reporting.
source: https://www.edgaze.ai/docs/security-responsible-disclosure
last_updated: 2026-03-15
section: legal
---
# Security and Responsible Disclosure

> How to report Edgaze security issues and the boundaries for good-faith vulnerability reporting.

## Overview

This policy explains how to report security issues affecting Edgaze and the boundaries for good-faith vulnerability research.

It does not authorize unapproved testing, scanning, or access to accounts or data without permission.

## Reporting Security Issues

### What to include

If you believe you have found a vulnerability affecting Edgaze, report it to `security@edgaze.ai`. Include a clear description, affected URL or feature, steps to reproduce, impact, screenshots or logs where useful, and your contact information.

## Good-Faith Research

Good-faith reporting means you:

- Avoid accessing, modifying, deleting, or exfiltrating data that is not yours.
- Avoid disrupting service, degrading performance, or triggering excessive automated traffic.
- Stop testing once you have enough information to demonstrate the issue.
- Keep the issue confidential while Edgaze investigates.
- Do not use the issue for fraud, extortion, competitive harm, spam, account takeover, or data extraction.

## No Authorization for Unapproved Testing

### Prohibited testing

This policy does not authorize penetration testing, automated scanning, social engineering, physical attacks, denial-of-service testing, credential attacks, rate-limit bypassing, payment abuse, or access to accounts/data without permission.

### Policy and legal limits

Testing that violates law, the [Acceptable Use Policy](/docs/acceptable-use-policy), or third-party terms is not authorized by this policy.

## Scope

### In-scope surfaces

Reports may relate to Edgaze web surfaces, APIs, auth flows, checkout flows, creator dashboards, hosted workflow execution, public docs, or platform-controlled infrastructure.

### Third-party services

Third-party services such as Stripe, Supabase, Vercel, Cloudflare, OpenAI, Anthropic, Google, and external APIs have their own security programs and should be reported through their channels unless the issue is specifically in Edgaze's integration.

## No Bounty Unless Announced

Edgaze does not currently offer a public bug bounty, reward, compensation, swag, or guaranteed acknowledgment unless separately announced in writing.

## What Edgaze May Do

Edgaze may investigate, request more information, prioritize, remediate, decline, disclose, or take protective action. Reports do not create an obligation to fix within a specific timeline.

## Contact

Security reports: `security@edgaze.ai`

General support: `support@edgaze.ai`

## Related Policies

- [Acceptable Use Policy](/docs/acceptable-use-policy)
- [Privacy Policy](/docs/privacy-policy)
- [Terms of Service](/docs/terms-of-service)
