Email: support@adspirer.com Response Time: Within 48 hours
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- HTTPS required for all public endpoints
- Block private/loopback/link-local addresses
- Cap redirects (≤5)
- Enforce per-URL and overall timeouts
- Size limits enforced (10MB per image)
- Reject unexpected content types for a given tool
- Validate Content-Type headers
- Test image validity with PIL before accepting
- Bearer tokens validated per request
- Least-privilege scopes applied per operation
- Refresh token rotation enforced
- PKCE required for all flows
- Logs exclude secrets and access tokens
- Correlation identifiers used for tracing
- Token usage and duration metrics logged
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We follow responsible disclosure practices:
- Report received and acknowledged
- Investigation and fix development
- Coordinated disclosure after fix deployment
- Credit to reporter (unless anonymity requested)