Published for transparency while formal governance documents are prepared with counsel. There is no binding effective date until this banner is removed.
This policy invites good-faith security research on the shteg.ai web properties and the public developer API. In scope are vulnerabilities that could affect the confidentiality, integrity, or availability of the platform — authentication and authorization flaws, injection, tenant-isolation gaps, and similar. Out of scope are denial-of-service testing, social engineering of staff, physical attacks, automated scanner noise without a demonstrated impact, and anything that would access, exfiltrate, or destroy real data. This is a draft published for transparency; the binding version will refine scope and terms with counsel.
If you make a good-faith effort to comply with this policy during your research, we will consider that research authorized, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue. Good faith means: you avoid privacy violations and data destruction, you do not access more data than necessary to demonstrate the issue, you stop and report once you have found a vulnerability, and you keep the details confidential until we have had a reasonable opportunity to remediate.
Send reports to our security contact. Machine-readable contact details are published at /.well-known/security.txt. Include the affected endpoint or page, reproduction steps, and the impact you observed; a proof of concept helps. Please do not open a public issue or disclose the finding publicly before coordinated remediation.
In the interest of honesty: there is no paid bug-bounty program at this time. We offer recognition and our genuine thanks, and we intend to acknowledge receipt of a valid report promptly and to keep you informed as we work toward a fix, coordinating public disclosure with you once the issue is resolved. As the platform matures these commitments — including response-time targets and any future bounty — will be formalized in the binding version.
Until a formal bounty program and machine-readable disclosure channel are finalized, a direct email is the reliable path. Send your findings and a human will respond. When the binding policy is published, this draft banner will come down and formal response-time commitments will appear.
Good-faith findings on the shteg.ai web properties or public API — email the details and a human will respond. No form that posts into a void.