Responsible Security Disclosure

Last updated — 2023-02-13


We take the security of our services and our users’ data very seriously. This document intends to establish the means by which you can report any security vulnerability to us safely, and the measures we will take to rectify it.

We appreciate any disclosure, but we ask that you follow the guidelines below to ensure safety and legal compliance.

Contacting us

Once you’ve discovered a security vulnerability, please report it to us via our email on security disclosures; We prefer that you encrypt your message using PGP, especially if the vulnerability is particularly critical. Our PGP public keys are available on

Please do not report security vulnerabilities through any other means. Reporting directly to ensures a quick response from appropriate personnel.


We will investigate all legitimate disclosures sent to us (as described above) and make an effort to resolve them as quickly as possible, as well as notify anyone that may have been affected. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, provided you comply with the following guidelines on responsible disclosure:

  • 1. You provide details to reproduce the problem and a Proof of Concept on how it could be exploited. Vulnerabilities that implicate the functionality or security of the user accounts of anyone but the tester need to be reported within 7 days.
  • 2. You make a good faith effort to avoid privacy violations of any user, destruction of data, or interruption of service.
  • 3. You do not access or modify any data not belonging to you.
  • 4. You give us a reasonable time to correct the issue and prevent further abuse before publicly disclosing the vulnerability.

For your assurance,

  • 1. CosmicMedia considers that a pre-approved, good-faith security researcher who complies with this policy to access our service has not accessed a computer without authorization or exceeded authorized access under the Computer Fraud and Abuse Act ("CFAA").
  • 2. CosmicMedia will not bring a copyright infringement claim under the Digital Millennium Copyright Act ("DMCA") against any pre-approved, good-faith security researcher who circumvents security mechanisms, so long as the researcher does not access any other code or binaries not pertinent to their research.