Security

Responsible disclosure policy

Found a security issue in searchrAInk? We want to hear about it. This page explains how to reach us, what’s in scope, and what to expect in return.

Report a vulnerability →

security@human.searchraink.com

How to report

Email security@human.searchraink.com with as much detail as you can share. A good report includes:

  • A short summary of the issue and its impact.
  • Steps to reproduce — the more concrete, the faster we can confirm.
  • Affected URL, endpoint, or component.
  • A proof-of-concept if you have one (screenshots, requests, or a minimal script).
  • Your name or handle if you’d like to be credited in our reply.

We aim to acknowledge every report within 3 business days.

Scope

In scope

  • searchraink.com and all subdomains, including human.searchraink.com.
  • API endpoints under searchraink.com/api/.
  • The authenticated dashboard, report pages, and checkout flow.

Out of scope

searchrAInk is built on top of trusted third-party services. Vulnerabilities in those platforms should be reported to the vendors directly — we cannot triage or fix them ourselves:

  • Clerk — authentication
  • Convex — database and serverless functions
  • Polar — payments and subscription management
  • Vercel — hosting and edge delivery
  • Resend and MailerSend — outbound and inbound email
  • OpenRouter and the underlying AI model providers it proxies

Out-of-scope testing

To keep the service stable for paying customers and to avoid harming people, the following testing is not permitted:

  • Denial-of-service or load testing of any kind (including brute-force against login).
  • Social engineering of staff, contractors, customers, or partners.
  • Physical attacks against offices or personnel.
  • Automated vulnerability scanners without prior written approval — they generate noise and can destabilise the service.
  • Accessing, modifying, or exfiltrating data that is not yours. Use your own test accounts and your own test data.

Safe harbor

If you make a good-faith effort to comply with this policy, searchrAInk will not pursue or support legal action against you for your research. We will work with you to understand and resolve the issue quickly.

In return we ask that you:

  • Only interact with data that belongs to you or to test accounts you control.
  • Stop as soon as you’ve demonstrated the vulnerability — don’t escalate further than needed to prove impact.
  • Keep the details private until we’ve had reasonable time to investigate and release a fix.
  • Don’t violate any other applicable laws while testing.

What happens next

  1. We acknowledge your report within 3 business days.
  2. We triage the issue and confirm whether it’s reproducible.
  3. We work on a fix. The timeline depends on severity — critical issues get same-day or next-day attention; lower-severity issues may take longer.
  4. We keep you updated along the way and let you know when the fix is live.
  5. We prefer coordinated disclosure. Please hold off publishing details until we’ve shipped the fix, and we’ll do the same.

Thank you for helping keep searchrAInk and its customers safe.

security@human.searchraink.com