SpinnableSpinnable
Back to Home

Vulnerability Disclosure Policy

Version 1.0 · Effective Date: May 13, 2026 · Last Updated: May 13, 2026

1. Introduction

Spinnable is committed to the security of our AI platform and values the contributions of security researchers. This policy describes how to report vulnerabilities, what you can expect from us, and the legal protections we provide. This policy follows the disclose.io framework.

2. Scope & Eligible Assets

We do not offer wildcard scope. If an asset is not explicitly listed below, do not test it.

In-Scope Assets (Full Coverage):

  • app.spinnable.ai — Production Frontend
  • spinnable-backend.fly.dev — Production Backend/API

Limited-Scope Assets (Managed Services):

  • api.spinnable.ai (Supabase API) — Authorization is strictly limited to vulnerabilities arising from Spinnable's configuration, integration, or usage. Vulnerabilities in Supabase's underlying infrastructure are excluded and must be reported directly to Supabase.

Out-of-Scope Assets:

  • spinnable.ai (Marketing Site)
  • docs.spinnable.ai (Documentation)
  • *.fly.dev (All preview/staging environments)
  • PR Previews
  • Third-party managed infrastructure (Supabase, Neon, Fly.io)
  • Third-party APIs (Meta/WhatsApp Business API, Slack API, Stripe)
  • CDN/Edge networks (Vercel, Cloudflare)
  • Private GitHub repositories
  • Customer data, customer configurations, and customer environments
  • Voice features (currently in Beta)

Excluded Vulnerability Classes:

  • Self-XSS — except where the reporter can demonstrate serious, measurable impact
  • Missing DMARC/SPF records without proven spoofing impact
  • Non-sensitive clickjacking
  • DoS/DDoS vectors
  • Social engineering
  • Physical security flaws
  • Automated scanner output submitted without a functional PoC

3. How to Report

  • Email: security@spinnable.ai
  • Subject line: [VDP] Descriptive vulnerability title
  • Include: vulnerability description, steps to reproduce, impact assessment, severity indication, and any supporting evidence
  • PGP encryption is not required; standard HTTPS/TLS transmission is deemed sufficient.

4. Rules of Engagement

  • Testing authorized exclusively on In-Scope and Limited-Scope assets. All testing must be strictly non-destructive.
  • Rate Limits: Max 10 requests per second.
  • Automated Scanning: Tools (e.g., Nikto, Nuclei) permitted provided they are strictly throttled.
  • Data Access: Do not access, modify, delete, or exfiltrate real customer data.
  • Account Isolation: Only interact with test accounts you have independently provisioned.
  • Prohibited Actions: DoS/DDoS, social engineering, physical attacks.

5. AI-Specific Testing Boundaries

  • AI Worker Memory Poisoning — Permitted within your own isolated test context.
  • Prompt Injection Testing — Permitted exclusively against your own AI workers.
  • Cross-Org Knowledge Leakage Probing — Permitted (high-priority vulnerability).
  • Scheduler & Webhook Chaining — Permitted within your own context and rate limits.
  • Tool & Skill Abuse Exploration — Permitted.
  • Model Output Manipulation — Permitted.
  • Reverse Engineering — Expressly authorized under Safe Harbour.
  • Prohibited: Accessing/manipulating AI workers of any other customer.

6. Severity Classification

Spinnable uses CVSS 3.1 (pure) to calculate the severity of reported vulnerabilities at triage.

7. Safe Harbour (Non-Retaliation)

Follows the disclose.io framework. Includes CFAA/CMA protections, pre-existing breach protections, safe port mechanism, and reverse engineering authorization. Governed by Delaware law, harmonized with EU protections.

8. Researcher Obligations

Minimal impact & proportionality, confidentiality until remediation confirmed or Disclosure Clock expiry, regulatory alignment (NIS2), modulation rights.

9. Dispute Resolution

Binding arbitration (JAMS), max 120-day pause, Brussels Ia for EU researchers.

10. Exclusions & Disqualification

Graduated approach: warning → partial suspension → full revocation. 14-day due process.

11. Contact

12. Data Processing Notice

By submitting a vulnerability report, you acknowledge that Spinnable, Inc. ("Controller") will process your personal data (name, email address, report content, and any metadata) for the following purposes:

  • Purpose: Managing the vulnerability disclosure process, including triage, remediation, and communication.
  • Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) — ensuring the security of our systems and services.
  • Retention: Report data is retained for 3 years after report closure for audit, legal compliance, and historical reference purposes. Personal data is deleted upon request unless retention is required by law.
  • Rights: You may exercise your rights under GDPR (access, rectification, erasure, portability, objection) by contacting privacy@spinnable.ai.
  • Recipients: Report data may be shared with relevant internal teams for remediation purposes. No data is shared with third parties except as required by law.

For full details, see our Privacy Policy.