# Security & Vulnerability Reporting At SpicyChat, we take the security and privacy of our users seriously. We welcome responsible security research that helps us identify and fix vulnerabilities affecting our platform, user accounts, private data, payments, subscriptions, and related systems. This Bug Bounty Program rewards eligible researchers who responsibly disclose valid security vulnerabilities. Rewards are based on the severity and real-world impact of the issue, and are issued on a first valid report basis. *** ### Scope This program is focused on traditional web, application, API, account, payment, and data security issues affecting SpicyChat. #### In Scope The following assets are in scope: * `spicychat.ai` * SpicyChat web application * SpicyChat public API endpoints * `prod.nd-api.com` (publicly exposed endpoints) * Official SpicyChat Android APK Within these assets, we are especially interested in vulnerabilities related to: * Authentication and account security * Authorization controls * Access to private user data * Chat history storage and retrieval, from a data-access perspective * Private character data and character storage * Character creation, sharing, import/export, and storage, from a data-access perspective * Payment, subscription, refund, and entitlement systems * API endpoints used by our web and Android clients * Session handling and account management #### What We Are Especially Interested In We welcome any valid in-scope security report, but the following areas are considered higher priority. **Account and Data Security** Examples include: * Account takeover * Authentication bypass * Authorization flaws * IDOR vulnerabilities * Privilege escalation * Session fixation or session reuse issues * Exposure of private user data * Unauthorized access to chat history * Unauthorized access to private characters * Exposure of emails, internal IDs, payment metadata, or sensitive account information **Payment and Subscription Integrity** Examples include: * Bypassing paid features without a valid subscription * Unauthorized changes to subscriptions * Payment, refund, or entitlement tampering * Gaining premium access without proper payment * Incorrect entitlement assignment with real security or financial impact **Web and API Security** Examples include: * Remote code execution * SQL, NoSQL, command, or template injection * Server-side request forgery * Cross-site scripting with meaningful user or account impact * Cross-site request forgery affecting sensitive actions * API authorization flaws * Security issues that expose internal systems, tokens, secrets, or user data **Android APK Security** Examples include: * Insecure local storage of sensitive tokens or user data * Insecure exported components with real security impact * Deeplink or URL-scheme issues leading to account compromise or data exposure * Issues in the official APK that could expose user data or account access #### Out of Scope The following are not eligible for bounty rewards. **AI Output, Character Behavior, and Content Reports** SpicyChat is an AI roleplay platform, so we understand that researchers may come across unusual model responses, character behavior, or moderation edge cases. However, this Bug Bounty Program is specifically for security vulnerabilities. The following are not eligible for bounty rewards: * AI response quality issues * Hallucinations or unexpected model replies * Character behavior concerns * Jailbreaks that only affect AI output * Prompt injection that only changes the character's response * Content moderation disagreements * Reports about specific characters or generated content * Guardrail or filter bypasses that do not result in unauthorized access, data exposure, account compromise, payment abuse, or another concrete security impact If an AI-related issue leads to a real security impact — such as unauthorized access to private data, account compromise, exposure of internal systems, or leakage of sensitive credentials — please report it clearly as a security vulnerability and explain the impact. Content or moderation concerns should be reported through our normal support and reporting channels. **Other Out-of-Scope Items** The following are also out of scope: * Third-party services we do not own or operate * Payment processor vulnerabilities outside our own implementation * Discord, Reddit, social media, or community platform issues * Hosting provider or infrastructure provider issues not caused by our application * Marketing pages, blog posts, status pages, or non-production assets unless they create a clear security impact * Social engineering, phishing, impersonation, or contacting staff/users * Physical attacks or device access * Denial-of-service attacks, DDoS, load testing, or volumetric testing * Brute force or credential stuffing * Automated scanner output without a working proof of concept * Self-XSS requiring a user to paste code into their own browser console * Issues only exploitable on outdated, unsupported, rooted, or jailbroken devices * Missing security headers without a demonstrated exploit * Clickjacking on pages without sensitive actions * Open redirects without account takeover, credential theft, or comparable impact * Tabnabbing or low-impact UI redressing * Rate-limit weaknesses without a complete attack chain * Reports based only on disclosed software or library versions without a working exploit * Reports requiring unrealistic attacker access or privileged positioning {% hint style="info" %} If you are unsure whether something is in scope, please contact us before testing. {% endhint %} *** ### Rules of Engagement To participate in this program, you must follow these rules. **Do** * Test only using accounts you own or have explicit permission to use * Use the minimum access necessary to prove the issue * Keep testing limited and controlled * Stop testing once you have confirmed the security impact * Report the issue privately through the official reporting channel * Include enough detail for our team to reproduce the issue * Respect user privacy and platform availability **Do Not** * Access, modify, save, copy, delete, or share another user's data * Attempt to view private conversations beyond the minimum proof required * Disrupt or degrade service for real users * Run aggressive automated scans or high-volume testing * Use social engineering against staff, contractors, creators, users, or moderators * Attempt to extort payment or threaten public disclosure * Publicly disclose the issue before we have had a reasonable opportunity to investigate and fix it * Continue testing after discovering sensitive data exposure {% hint style="warning" %} If you accidentally access another user's data, stop immediately, do not save or share it, and include this in your report so we can investigate properly. {% endhint %} *** ### How to Report Please send security reports to: **Email:** `security@nextday.ai` **Subject line:** `[Bug Bounty] Short description of the issue` #### What to Include A strong report should include: * **Summary** — A short description of the issue and why it matters. * **Affected asset** — The affected URL, endpoint, feature, APK version, or component. * **Steps to reproduce** — Clear, numbered steps that our team can follow. * **Proof of concept** — Screenshots, video, logs, raw HTTP requests, or code showing the issue. * **Impact** — What an attacker could achieve and who could be affected. * **Suggested severity** — Your view of the severity, if known. * **Suggested fix** — Optional, but appreciated. * **Researcher details** — Your name or handle, contact email, and whether you would like public credit if applicable. Reports that are missing key details may require follow-up before they can be triaged. AI-assisted research is allowed, but reports must be based on testing you personally performed and verified. Submissions that appear to be raw, unverified AI-generated output may be closed without reward. *** ### Response Timeline We aim to respond within the following timelines: | Stage | Target | | ----------------------------------- | ----------------------------------------------- | | Initial acknowledgement | Within 3 business days | | Initial triage | Within 10 business days of acknowledgement | | Status updates during investigation | As appropriate based on severity and complexity | | Reward decision | After validation and severity review | | Reward payment | Within a reasonable timeframe after approval | These timelines are targets, not guarantees. Complex reports may require additional review. Initial acknowledgement only confirms that we received your submission. It does not confirm that the issue is valid, new, in scope, eligible for a bounty, or assigned a specific severity. *** ### Severity and Rewards Rewards are based on severity, impact, exploitability, and report quality. We use CVSS v4.0 as a general reference for assessing vulnerability severity. Final severity is determined by our internal team based on the real-world impact to SpicyChat, our users, and our systems. | Severity | General CVSS v4.0 Range | Example Impact | | ------------- | -------------------------------- | ------------------------------------------------------------------------------------------------ | | Critical | 9.0 – 10.0 | Account takeover, payment bypass at scale, remote code execution, major private data exposure | | High | 7.0 – 8.9 | Sensitive data exposure, privilege escalation, serious authorization flaws | | Medium | 4.0 – 6.9 | Security logic flaws, limited data exposure, meaningful abuse vectors | | Low | 0.1 – 3.9 | Minor security issues with limited impact | | Informational | 0.0 or no direct security impact | Best-practice observations, hardening suggestions, or issues without demonstrated exploitability | CVSS is used as a guide, not as the only deciding factor. We may adjust severity based on practical risk, user impact, exploitability, affected systems, and whether the issue can be chained with other findings. Reward amounts are determined case by case based on: * Severity of the vulnerability * Real-world impact * Number of users affected * Exploitability and reliability * Quality of the proof of concept * Whether the report helps us understand and fix the issue quickly * Whether multiple issues are chained together to create greater impact Informational reports are not eligible for monetary rewards. *** ### First Valid Report Policy Rewards are issued on a first valid report basis. This means the reward is given to the first researcher who submits a clear, reproducible, previously unknown vulnerability. Duplicate reports are not eligible for monetary rewards, even if the researcher discovered the issue independently. A report is considered valid only when it includes enough information for our team to understand, reproduce, and assess the issue. If your report is a meaningful variant of an already reported issue, such as a different root cause, broader impact, or a new attack chain, please explain that clearly. We will review it case by case. For security and privacy reasons, we do not disclose details of prior reports, reporter identities, internal investigation notes, or internal timelines when closing duplicate submissions. *** ### Payment Bounties are paid through our supported payment methods, which may include: * PayPal * Bank transfer * Other approved payment methods Payment options may vary depending on the researcher's location and our ability to process the payment. Researchers are responsible for any taxes, fees, or reporting obligations in their own jurisdiction. For larger payouts, we may require reasonable identity, payment, or tax-related information before issuing payment. *** ### Eligibility To be eligible for a bounty, you must: * Follow this policy * Be at least 18 years old, or the age of majority in your jurisdiction * Submit a valid, reproducible, in-scope security issue * Be the first valid reporter of the issue * Comply with applicable laws * Not be a current employee, contractor, or immediate family member of an employee or contractor of SpicyChat or its parent company * Not be located in a country or region where we are unable to legally issue payment We reserve the right to deny rewards for reports that violate this policy, involve harmful activity, or are submitted in bad faith. *** ### Coordinated Disclosure We follow a coordinated disclosure process. Please do not publicly disclose a vulnerability until we have investigated and had a reasonable opportunity to fix it. Our default disclosure window is 90 days from acknowledgement of the report, unless otherwise agreed in writing. If you plan to publish a write-up after the issue is resolved, please coordinate with us in advance so we can confirm the issue is fully fixed and avoid exposing users to unnecessary risk. With your permission, we may credit you in a public advisory or acknowledgment. *** ### Confidentiality Information you encounter during good-faith security research — including vulnerability details, internal system behavior, source code fragments, error messages, configuration data, and any user or account information accidentally observed — must be treated as confidential. You agree to: * Not share vulnerability details, proof-of-concept material, or related findings with any third party before the issue is resolved and we have authorized disclosure * Not retain copies of any user data, internal data, source code, or credentials encountered during testing once your report has been submitted * Delete any locally stored proof-of-concept artifacts that contain real user data, secrets, or sensitive system information after your report has been triaged * Treat communications with our security team as confidential unless we expressly agree otherwise If you are uncertain whether something can be shared (for example, in a conference talk, blog post, or write-up), please contact us before publishing. *** ### Safe Harbor We support good-faith security research. If you follow this policy, make a good-faith effort to avoid privacy violations, service disruption, and data exposure, and report issues responsibly, we will consider your research authorized. We will not pursue legal action against you for research conducted in accordance with this policy. Safe harbor does not apply to activity that violates this policy, harms users, disrupts our services, accesses or shares user data beyond what is necessary, attempts extortion, or is otherwise unlawful. If a third party initiates legal action related to research that complied with this policy, we will make clear that your research was authorized by us. *** ### Program Changes We may update this policy from time to time. The version of the policy in effect at the time of submission will apply to that report. *** ### Questions If you are unsure whether something is in scope, or if you want to clarify a rule before testing, please contact us before you begin. **Email:** `security@nextday.ai` Thank you for helping us keep SpicyChat safe. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.spicychat.ai/security-and-vulnerability-reporting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.