Security

Vulnerability Disclosure Policy

We take the security of SenAI.SAM and our users' data seriously. If you believe you have found a security vulnerability, we encourage you to report it responsibly.

Scope

The following domains and assets are in scope for this disclosure programme:

sam.arcane.group — primary application
*.sam.arcane.group — application subdomains
SenAI.SAM API endpoints (sam.arcane.group/api/*)

Out of scope: third-party services (Supabase, Stripe, Vercel, Resend), social engineering attacks, denial-of-service attacks, and any testing that degrades service for other users.

Submission Process

Please send vulnerability reports to:

security@arcane.group

Include the following in your report:

A description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
The affected URL, endpoint, or component
Any proof-of-concept code or screenshots
Your contact information for follow-up

Response Timeline

1
Acknowledgement48 hours

We will confirm receipt of your report and assign a tracking reference.

2
Triage5 business days

We will assess the severity and validity of the reported vulnerability and provide an initial response.

3
ResolutionOngoing

We will work to remediate confirmed vulnerabilities and keep you informed of progress. Timelines vary by severity.

Safe Harbour

We consider security research conducted in accordance with this policy to be authorised and will not pursue legal action against researchers who:

Act in good faith to avoid privacy violations, data destruction, and service disruption
Only interact with accounts you own or with explicit permission of the account holder
Do not exploit a vulnerability beyond what is necessary to demonstrate it
Report vulnerabilities promptly and do not disclose them publicly before we have had a reasonable opportunity to address them
Do not use automated scanning tools that generate excessive traffic

We will not pursue civil or criminal action, or send notice to law enforcement, for security research conducted in compliance with this policy. We consider activities conducted consistent with this policy to constitute "authorised conduct" under the Computer Misuse Act 1990.

Bounties

This programme does not offer monetary bounties at this time. We are grateful for responsible disclosures and will acknowledge researchers in our hall of fame (with permission). As the programme matures, we may introduce a paid bounty programme.

Acknowledgements

We would like to thank the following individuals for responsibly disclosing security vulnerabilities:

No submissions yet. Be the first to help us improve our security.