Sign up

Responsible disclosure policy

At Simtheory, we take security seriously and value the contributions of the security community. If you've discovered a vulnerability, we want to hear from you.

Submit a vulnerability report

Our commitment to you

We are committed to working with security researchers to resolve issues promptly. In return for your help, we promise:

  • We will respond to your report promptly, typically within 3-5 business days.
  • We will keep you updated on our progress as we work to resolve the issue.
  • We will not take legal action against you if you act in good faith and adhere to this policy (our "Safe Harbor" promise).

Bug bounties

Simtheory offers bug bounties for reports that identify serious and previously unknown security issues.

Payouts are determined on a case-by-case basis and depend on the severity, impact, and quality of your report. We strive to be fair and generous for significant findings.

More information including payout structure is available here: https://simtheory.ai/.well-known/security.txt

Rules of engagement

Please do:

  • Act in good faith. Make every effort to avoid privacy violations, data destruction, and service interruptions.
  • Only interact with accounts you own or have explicit permission to test.
  • Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Please do not:

  • Engage in Denial of Service (DoS) or DDoS attacks.
  • Send spam of any kind.
  • Perform social engineering or phishing on our employees, contractors, or customers.
  • Conduct any physical attacks against Simtheory property or data centers.
  • Access or modify data in accounts you do not own.

Payments

Payments are handled via Wise. You will need to be able to accept payments with Wise or have a Wise account in order for us to pay your bug bounty.

Once your report has been validated and a bounty amount agreed, we will request your Wise payment details and process the payment promptly.

If you have any questions about payments or need to discuss alternative arrangements, please get in touch with us.

Safe harbor

Activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Questions?

If you have any questions, please don't hesitate to get in touch with us.