Legal

Security & Vulnerability Disclosure

Last updated: April 23, 2026 · How to report a security vulnerability, what we commit to in response, and what responsible disclosure means for snapshots.cloud.

1. Our Security Commitment

The security of snapshots.cloud and the privacy of our users' data is a priority. We appreciate the work of security researchers who help identify vulnerabilities before they can be exploited. This page describes how to report a vulnerability responsibly and what you can expect from us in return.

We commit to: responding promptly to valid reports, keeping you informed of our progress, not pursuing legal action against researchers who act in good faith under this policy, and acknowledging your contribution when a vulnerability is confirmed and resolved.

2. Scope

The following assets are in scope for vulnerability reports:

  • snapshots.cloud — the main application (web frontend, API backend)
  • vault.snapshots.cloud — the WordPress archive site
  • Any subdomain of snapshots.cloud that serves user-facing functionality

The following are out of scope:

  • Third-party services we use (AWS, Stripe, Anthropic, fal.ai, ElevenLabs, Shotstack) — report these to the respective vendor
  • Denial-of-service attacks or automated scanning that affects service availability
  • Social engineering attacks against our staff or users
  • Physical security
  • Vulnerabilities in outdated browsers or platforms we do not support
  • Issues that require unlikely user interaction or do not present a realistic attack path
  • Missing security headers with no demonstrable impact
  • Rate limit findings on non-sensitive endpoints
  • Self-XSS (requires a user to attack themselves)

3. How to Report

Send your report to: security@snapshots.cloud

Please include as much of the following as possible:

  • Description — a clear description of the vulnerability and its potential impact
  • Steps to reproduce — a step-by-step guide to reproduce the issue reliably
  • Proof of concept — screenshots, screen recordings, or code demonstrating the vulnerability (do not include actual user data)
  • Affected URL or endpoint — the specific location of the vulnerability
  • Your assessment of severity — your view on the impact (informational, low, medium, high, critical)
  • Your contact details — so we can follow up with you

If you believe the vulnerability is severe and involves sensitive data, you may encrypt your report. Contact us first at the address above and we will provide a PGP key on request.

4. What We Will Do

Upon receiving your report, we commit to:

  • Acknowledgement — confirm receipt of your report within 3 business days
  • Initial assessment — provide an initial assessment of the report's validity and severity within 10 business days
  • Regular updates — keep you informed of our progress at least every 14 days until the issue is resolved
  • Remediation — work to remediate confirmed vulnerabilities in a timeframe proportionate to severity (critical issues prioritised immediately)
  • Notification — notify you when the vulnerability has been fixed
  • Attribution — acknowledge your contribution publicly (with your permission) once the issue is resolved

5. Responsible Disclosure Guidelines

To qualify for our safe harbour commitment (Section 6), your research must comply with the following:

  • Do not access user data — if you discover a vulnerability that exposes user data, do not read, download, modify, or delete it. Stop at proof of concept and report immediately.
  • Do not disrupt the service — do not perform testing that degrades performance or availability for other users. Use your own accounts for testing.
  • Do not use automated scanners aggressively — light automated scanning is acceptable; aggressive scanning that generates significant load is not.
  • Do not exploit beyond proof of concept — demonstrate the vulnerability exists; do not chain exploits to gain deeper access than necessary to prove the issue.
  • Keep it confidential — do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it. We ask for a minimum of 90 days from your initial report before public disclosure.
  • Act in good faith — conduct research for the purpose of improving security, not for personal gain, extortion, or disruption.
  • Use your own accounts — test only on accounts you own or have explicit permission to test. Do not create fake accounts to bypass restrictions.

6. Safe Harbour

We will not pursue legal action against security researchers who:

  • Report vulnerabilities through the process described in this policy
  • Comply with the responsible disclosure guidelines in Section 5
  • Make a good faith effort to avoid harm to users, data, and service availability
  • Do not exploit vulnerabilities for personal gain or to harm others

This safe harbour applies to activities conducted in accordance with this policy. It does not apply to activities that exceed the scope of this policy, involve accessing other users' data, or cause deliberate harm. We cannot speak on behalf of third parties — if your research involves third-party infrastructure (e.g., AWS), their policies apply independently.

7. Severity Classification

We use the following general severity classifications to prioritise remediation:

  • Critical — remote code execution, authentication bypass, mass data exposure, account takeover at scale. Target remediation: immediate.
  • High — individual account takeover, significant data exposure, privilege escalation. Target: within 7 days.
  • Medium — limited data exposure, CSRF, stored XSS, insecure direct object references. Target: within 30 days.
  • Low — information disclosure with limited impact, minor logic flaws. Target: within 90 days.
  • Informational — best practice recommendations, missing non-critical headers. Addressed at our discretion.

8. No Bug Bounty Program

snapshots.cloud does not currently operate a paid bug bounty program. We cannot offer monetary rewards for vulnerability reports at this stage. We do offer public acknowledgement (with your permission) and our genuine gratitude for responsible contributions to our security.

We may introduce a formal bug bounty program in future. If we do, we will update this page and notify researchers who have previously submitted valid reports.

9. Contact

Security reports: security@snapshots.cloud
This address is for security vulnerability reports only. For general support, use hello@snapshots.cloud. For DMCA notices, use dmca@snapshots.cloud.

Terms of ServiceAcceptable UsePrivacy PolicyCookie PolicyRefund PolicyDMCA PolicyBiometric PolicyIP PolicyAI DisclosureSecurity PolicyArchive