Security

Policy last updated 2026-04-17.

Reporting a vulnerability

If you find a security issue, email [email protected]. Encrypt with our PGP key if the issue is sensitive (request the key in your first message).

Please include:

• A description of the vulnerability and its impact
• Minimal reproduction steps, including any request headers / payloads
• Whether you're comfortable being credited publicly

We acknowledge within 48 hours and aim to fix critical issues within 7 days. Please do not publicly disclose a vulnerability before we've shipped a fix.

Out of scope

• Missing best-practice HTTP headers on legacy endpoints — we track these but don't treat them as vulns unless they enable an exploit
• Rate-limit bypass via key rotation alone — the rate limit is a traffic-shaping tool, not a security boundary
• Self-XSS, issues requiring physical access, or any attack on third-party services (Stripe, Binance, Cloudflare) that we embed

In scope

• Authentication bypass on any authed endpoint
• Exposure of another customer's API key, webhook secret, or billing metadata
• Server-side request forgery, remote code execution, SQL injection, account takeover
• Signature-bypass on our outbound webhook HMAC (X-Amaneki-Signature)
• Privilege escalation inside the named-preset / webhook subscription systems

Recognition

We don't run a paid bug bounty at this size. If you report something material and want to be credited, we'll add you to SECURITY_HALL_OF_FAME.md in the repo once the fix ships.

Keys and tokens

• API keys: rotate anytime via POST /v1/me/rotate-key. The previous key is invalidated instantly.
• Webhook signing secrets: shown once at subscription creation. To rotate, delete the subscription and create a new one.
• Stripe keys: live keys are never loaded into the landing or SDK.

security.txt

Machine-readable disclosure info at /.well-known/security.txt.