Security

Last updated January 1st, 2026

We are committed to the security of our services. We greatly appreciate responsible disclosure of security vulnerabilities.

If you believe you have found a security issue with the inventor.bot platform, please notify us promptly. We investigate all valid reports and work to resolve issues as quickly as possible.

Researcher Rules

If you are a security researcher, we ask that you follow our rules while researching vulnerabilities to help protect our users and services:

  • Only test against accounts you control
  • Do not disrupt service for other users
  • Do not access, modify, or delete data that does not belong to you (if you are demonstrating a vulnerability, use multiple accounts you control)
  • Allow us a reasonable period (typically up to 90 days, unless otherwise agreed) to fix the vulnerability before any public disclosure
  • Provide a detailed report of the vulnerability, including steps to reproduce it
  • Do not publicly disclose a vulnerability until we have had a chance to fix it
  • Do not directly submit reports generated by automated tools, templates, or LLMs

Non-Qualifying Vulnerabilities

We are not interested in reports of the following types:

  • Denial of service attacks
  • Self-XSS
  • Clickjacking on pages with no sensitive actions
  • Social engineering of inventor.bot staff or users
  • Email spoofing or SPF/DKIM/DMARC-related issues
  • Vulnerabilities affecting users of outdated or unpatched browsers or platforms
  • Brute force attacks
  • Vulnerabilities requiring physical access to a user’s device
  • Vulnerabilities that require a user to install a malicious app on their device, or perform an unlikely series of actions
  • Vulnerabilities that require a user to click through a security warning
  • Weak cipher suites or SSL/TLS configuration issues (unless you have a proof of concept against a modern browser)
  • Reports based solely on automated tool output without human verification or a working proof of concept

We are not interested in reports of vulnerabilities in third-party services. Please direct these reports to the appropriate third-party. If you require assistance locating the security contact information for a third-party, please contact us (as described below).

Safe Harbor

Security research activities conducted in compliance with the rules listed above will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in good faith and in compliance with this policy.

If your account is subject to automated or manual enforcement (such as suspension or banning) as a result of legitimate research activities, contact us and we will work with you to resolve the issue.

Rewards

We do not provide rewards for low-quality or automated reports. Submissions that ignore the non-qualifying vulnerabilities section will not receive a response.

We generally do not offer monetary rewards for security vulnerability reports. However, we may choose to offer access to paid products or account credits. Rewards are granted at our discretion based on the severity and impact of the reported vulnerability.

Contact

The security contact email is only intended for security reports containing the information listed below. Non-security inquiries will not receive a response. Send support requests and other general inquiries via a support ticket or to [email protected].

Valid security reports must contain the following information:

  • A detailed description of the vulnerability
  • Steps to reproduce the vulnerability
  • Any other relevant information
  • Your contact information

Please DO NOT send reports generated by automated tools, templates, or LLMs. You may use automated tools to assist in finding issues, but your report must be written by a human who understands the issue. Automated template or LLM-generated reports will not receive a response.

Please send security reports via a support ticket, using the ‘Security’ category. If you wish to report via email instead, please send your report to [email protected].

Assuming your vulnerability report is valid, we will respond with a plan to resolve the issue, and will keep you updated on the status of the issue as we work to resolve it.

Modification

We reserve the right to modify this policy at any time, with or without notification.