Security Disclosure

We appreciate responsible disclosure. Email security@originary.xyz or contact@originary.xyz with details and reproduction steps.

Our commitment

• We'll acknowledge within 5 business days
• Keep you updated on our progress
• Provide public credit where possible
• Work with you on responsible disclosure timing

Guidelines

• Please avoid testing against other users' accounts
• Respect rate limits and don't cause service disruption
• Don't access or modify data that isn't yours
• Report vulnerabilities as soon as you discover them

Scope

This policy covers:

• originary.xyz and subdomains
• Our APIs and services
• CLI and code samples we publish
• Infrastructure directly under our control

What to include

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any proof-of-concept code (if applicable)
• Your preferred method of communication

Bounty program

No formal bounty program at this time. We do provide public credit and our sincere gratitude for responsible disclosure.

Legal

We will not pursue legal action against researchers who:

• Follow this responsible disclosure policy
• Act in good faith
• Don't violate privacy or cause harm
• Don't access or modify data beyond what's necessary for testing