Security & Vulnerability Reporting
At SpicyChat, we take the security and privacy of our users seriously.
We welcome responsible security research that helps us identify and fix vulnerabilities affecting our platform, user accounts, private data, payments, subscriptions, and related systems.
This Bug Bounty Program rewards eligible researchers who responsibly disclose valid security vulnerabilities. Rewards are based on the severity and real-world impact of the issue, and are issued on a first valid report basis.
Scope
This program is focused on traditional web, application, API, account, payment, and data security issues affecting SpicyChat.
What we reward. Our bounties are for security vulnerabilities β flaws that let someone cross a boundary they are not authorised to cross, with impact on other users or the integrity and availability of the service: unauthorised access to or modification of other people's data, accounts, or subscriptions; privilege escalation; remote code execution; secret or credential exposure; or taking the service down for others.
We do not pay bounties for abuse of business rules β using a flaw to get more for your own account than intended (exceeding your plan's limits, accessing a feature without paying, or consuming extra free resource). These are handled as product bugs, not security rewards. (Genuine unauthorised access, data exposure, or availability impact is covered by the security categories above, on its own merits.)
In Scope
The following assets are in scope:
spicychat.ai
SpicyChat web application
SpicyChat public API endpoints
prod.nd-api.com(publicly exposed endpoints)Official SpicyChat Android APK
Within these assets, we are especially interested in vulnerabilities related to:
Authentication and account security
Authorization controls
Access to private user data
Chat history storage and retrieval, from a data-access perspective
Private character data and character storage
Character creation, sharing, import/export, and storage, from a data-access perspective
Payment, subscription, refund, and entitlement systems
API endpoints used by our web and Android clients
Session handling and account management
What We Are Especially Interested In
We welcome any valid in-scope security report, but the following areas are considered higher priority.
Account and Data Security
Examples include:
Account takeover
Authentication bypass
Authorization flaws
IDOR vulnerabilities
Privilege escalation
Session fixation or session reuse issues
Exposure of private user data
Unauthorized access to chat history
Unauthorized access to private characters
Exposure of emails, internal IDs, payment metadata, or sensitive account information
Payment and Subscription Integrity
Examples include:
Tampering with payments, refunds, subscriptions, or entitlements β especially changes affecting other users' accounts
Defeating server-side payment or entitlement validation to commit genuine financial fraud β e.g. granting paid entitlements to arbitrary accounts, manipulating amounts charged, or affecting other users' billing (merely accessing a paid feature on your own account is out of scope β see Self-serving abuse / business-logic limits)
Forging or replaying payment or subscription confirmations
Web and API Security
Examples include:
Remote code execution
SQL, NoSQL, command, or template injection
Server-side request forgery
Cross-site scripting with meaningful user or account impact
Cross-site request forgery affecting sensitive actions
API authorization flaws
Security issues that expose internal systems, tokens, secrets, or user data
Android APK Security
Examples include:
Insecure local storage of sensitive tokens or user data
Insecure exported components with real security impact
Deeplink or URL-scheme issues leading to account compromise or data exposure
Issues in the official APK that could expose user data or account access
Out of Scope
The following are not eligible for bounty rewards.
AI Output, Character Behavior, and Content Reports
SpicyChat is an AI roleplay platform, so we understand that researchers may come across unusual model responses, character behavior, or moderation edge cases.
However, this Bug Bounty Program is specifically for security vulnerabilities.
The following are not eligible for bounty rewards:
AI response quality issues
Hallucinations or unexpected model replies
Character behavior concerns
Jailbreaks that only affect AI output
Prompt injection that only changes the character's response
Content moderation disagreements
Reports about specific characters or generated content
Guardrail or filter bypasses that do not result in unauthorized access, data exposure, account compromise, payment abuse, or another concrete security impact
If an AI-related issue leads to a real security impact β such as unauthorized access to private data, account compromise, exposure of internal systems, or leakage of sensitive credentials β please report it clearly as a security vulnerability and explain the impact.
Content or moderation concerns should be reported through our normal support and reporting channels.
Other Out-of-Scope Items
The following are also out of scope:
Third-party services we do not own or operate
Payment processor vulnerabilities outside our own implementation
Discord, Reddit, social media, or community platform issues
Hosting provider or infrastructure provider issues not caused by our application
Marketing pages, blog posts, status pages, or non-production assets unless they create a clear security impact
Social engineering, phishing, impersonation, or contacting staff/users
Physical attacks or device access
Denial-of-service attacks, DDoS, load testing, or volumetric testing
Brute force or credential stuffing
Automated scanner output without a working proof of concept
Self-XSS requiring a user to paste code into their own browser console
Issues only exploitable on outdated, unsupported, rooted, or jailbroken devices
Missing security headers without a demonstrated exploit
Clickjacking on pages without sensitive actions
Open redirects without account takeover, credential theft, or comparable impact
Tabnabbing or low-impact UI redressing
Self-serving abuse / business-logic limits. Using a flaw β including race conditions or repeated/concurrent requests β to get more out of your own account than your plan intends: exceeding usage or quota limits (e.g. creating more personas, images, or messages than your tier allows), or accessing a paid feature without paying, where the beneficiary is your own account. This is out of scope. We may still fix these as product bugs.
Rate-limit weaknesses without a complete attack chain that reaches impact on other users or the service itself (chaining a limit bypass purely to exceed your own account's limits does not qualify β see Self-serving abuse / business-logic limits above and What we reward)
Reports based only on disclosed software or library versions without a working exploit
Reports requiring unrealistic attacker access or privileged positioning
If you are unsure whether something is in scope, please contact us before testing.
Rules of Engagement
To participate in this program, you must follow these rules.
Do
Test only using accounts you own or have explicit permission to use
Use the minimum access necessary to prove the issue
Keep testing limited and controlled
Stop testing once you have confirmed the security impact
Report the issue privately through the official reporting channel
Include enough detail for our team to reproduce the issue
Respect user privacy and platform availability
Do Not
Access, modify, save, copy, delete, or share another user's data
Attempt to view private conversations beyond the minimum proof required
Disrupt or degrade service for real users
Run aggressive automated scans or high-volume testing
Use social engineering against staff, contractors, creators, users, or moderators
Attempt to extort payment or threaten public disclosure
Publicly disclose the issue before we have had a reasonable opportunity to investigate and fix it
Continue testing after discovering sensitive data exposure
If you accidentally access another user's data, stop immediately, do not save or share it, and include this in your report so we can investigate properly.
How to Report
Please send security reports to:
Email: security@nextday.ai
Use the subject line:
[Bug Bounty] Short description of the issue
What to Include
A strong report should include:
Summary β A short description of the issue and why it matters.
Affected asset β The affected URL, endpoint, feature, APK version, or component.
Steps to reproduce β Clear, numbered steps that our team can follow.
Proof of concept β Screenshots, video, logs, raw HTTP requests, or code showing the issue.
Impact β What an attacker could achieve and who could be affected.
Suggested severity β Your view of the severity, if known.
Suggested fix β Optional, but appreciated.
Researcher details β Your name or handle, contact email, and whether you would like public credit if applicable.
Reports that are missing key details may require follow-up before they can be triaged.
AI-assisted research is allowed, but reports must be based on testing you personally performed and verified. Submissions that appear to be raw, unverified AI-generated output may be closed without reward.
Response Timeline
We aim to respond within the following timelines:
Initial acknowledgement
Within 3 business days
Initial triage
Within 10 business days of acknowledgement
Status updates during investigation
As appropriate based on severity and complexity
Reward decision
After validation and severity review
Reward payment
Within a reasonable timeframe after approval
These timelines are targets, not guarantees. Complex reports may require additional review.
Initial acknowledgement only confirms that we received your submission. It does not confirm that the issue is valid, new, in scope, eligible for a bounty, or assigned a specific severity.
Severity and Rewards
Rewards are based on severity, impact, exploitability, and report quality.
We use CVSS v4.0 as a general reference for assessing vulnerability severity. Final severity is determined by our internal team based on the real-world impact to SpicyChat, our users, and our systems.
Critical
9.0 β 10.0
Account takeover, large-scale payment or billing fraud, remote code execution, major private data exposure
High
7.0 β 8.9
Sensitive data exposure, privilege escalation, serious authorization flaws
Medium
4.0 β 6.9
Security logic flaws, limited data exposure, limited authorization or logic flaws
Low
0.1 β 3.9
Minor security issues with limited impact
Informational
0.0 or no direct security impact
Best-practice observations, hardening suggestions, or issues without demonstrated exploitability
CVSS is used as a guide, not as the only deciding factor. We may adjust severity based on practical risk, user impact, exploitability, affected systems, and whether the issue can be chained with other findings.
Reward amounts are determined case by case based on:
Severity of the vulnerability
Real-world impact
Number of users affected
Exploitability and reliability
Quality of the proof of concept
Whether the report helps us understand and fix the issue quickly
Whether multiple issues are chained together to create greater impact
Informational reports are not eligible for monetary rewards.
First Valid Report Policy
Rewards are issued on a first valid report basis.
This means the reward is given to the first researcher who submits a clear, reproducible, previously unknown vulnerability.
Duplicate reports are not eligible for monetary rewards, even if the researcher discovered the issue independently.
A report is considered valid only when it includes enough information for our team to understand, reproduce, and assess the issue.
If your report is a meaningful variant of an already reported issue, such as a different root cause, broader impact, or a new attack chain, please explain that clearly. We will review it case by case.
For security and privacy reasons, we do not disclose details of prior reports, reporter identities, internal investigation notes, or internal timelines when closing duplicate submissions.
Payment
Bounties are paid through our supported payment methods, which may include:
PayPal
Bank transfer
Other approved payment methods
Payment options may vary depending on the researcher's location and our ability to process the payment.
Researchers are responsible for any taxes, fees, or reporting obligations in their own jurisdiction.
For larger payouts, we may require reasonable identity, payment, or tax-related information before issuing payment.
Eligibility
To be eligible for a bounty, you must:
Follow this policy
Be at least 18 years old, or the age of majority in your jurisdiction
Submit a valid, reproducible, in-scope security issue
Be the first valid reporter of the issue
Comply with applicable laws
Not be a current employee, contractor, or immediate family member of an employee or contractor of SpicyChat or its parent company
Not be located in a country or region where we are unable to legally issue payment
We reserve the right to deny rewards for reports that violate this policy, involve harmful activity, or are submitted in bad faith.
Coordinated Disclosure
We follow a coordinated disclosure process.
Please do not publicly disclose a vulnerability until we have investigated and had a reasonable opportunity to fix it.
Our default disclosure window is 90 days from acknowledgement of the report, unless otherwise agreed in writing.
If you plan to publish a write-up after the issue is resolved, please coordinate with us in advance so we can confirm the issue is fully fixed and avoid exposing users to unnecessary risk.
With your permission, we may credit you in a public advisory or acknowledgment.
Confidentiality
Information you encounter during your research must be treated as confidential. By participating, you agree to:
Not share vulnerability details, proof-of-concept material, or related findings with any third party before the issue is resolved and we have authorized disclosure.
Not retain copies of any user data, internal data, source code, or credentials encountered during testing once your report has been submitted.
Delete any locally stored proof-of-concept artifacts that contain real user data, secrets, or sensitive system information after your report has been triaged.
Treat your communications with the security team as confidential unless we explicitly authorize otherwise.
If you are unsure whether you can share or publish something β for example in a conference talk, blog post, or write-up β please contact us before publishing.
Safe Harbor
We support good-faith security research.
If you follow this policy, make a good-faith effort to avoid privacy violations, service disruption, and data exposure, and report issues responsibly, we will consider your research authorized.
We will not pursue legal action against you for research conducted in accordance with this policy.
Safe harbor does not apply to activity that violates this policy, harms users, disrupts our services, accesses or shares user data beyond what is necessary, attempts extortion, or is otherwise unlawful.
If a third party initiates legal action related to research that complied with this policy, we will make clear that your research was authorized by us.
Program Changes
We may update this policy from time to time. The current published version of this policy applies to all reports, including those submitted before a change β the version in effect at the time you submitted does not lock in the terms for your report. We encourage you to review the latest policy before submitting.
Last updated: 2026-06-02
Questions
If you are unsure whether something is in scope, or if you want to clarify a rule before testing, please contact us before you begin.
Email: security@nextday.ai
Thank you for helping us keep SpicyChat safe.
Last updated
Was this helpful?