SpAIder Logo

Security & Responsible Disclosure

Last Updated: October 19, 2025

1. Our Commitment to Security

At SpAIder, we take the security of our Service and the privacy of our users seriously. We appreciate the security research community's efforts to help keep our users safe. This policy outlines how to report security vulnerabilities and what to expect from us.

2. Scope

This policy applies to security vulnerabilities in:

  • SpAIder web application (spaider.dev)
  • SpAIder APIs and endpoints
  • SpAIder subdomains (*.spaider.dev)
  • SpAIder mobile applications (if applicable)

2.1 Out of Scope

The following are NOT covered by this policy:

  • Third-party services we use (report to them directly)
  • Social engineering attacks against SpAIder employees
  • Physical attacks against SpAIder infrastructure
  • Vulnerabilities in outdated browsers or operating systems
  • Issues that require physical access to a user's device

3. Reporting a Vulnerability

📧 Security Contact

Email: security@spaider.ai
Subject Line: "Security Vulnerability Report"
Response Time: We aim to respond within 72 hours

3.1 What to Include

To help us understand and address the issue quickly, please include:

  • Description: Clear description of the vulnerability
  • Impact: Potential impact and severity assessment
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Proof of Concept: Screenshots, videos, or code demonstrating the issue
  • Environment: Browser, OS, and other relevant details
  • Your Contact: How we can reach you for follow-up

3.2 Encryption (Optional)

For sensitive vulnerabilities, you may encrypt your report using our PGP key. While not required, we appreciate the extra security. Contact us for our public key.

4. Responsible Disclosure Guidelines

To protect our users, we ask that you follow these responsible disclosure guidelines:

✅ DO:

  • Report vulnerabilities privately to security@spaider.ai
  • Give us reasonable time to fix the issue before public disclosure
  • Provide detailed information to help us reproduce and fix the issue
  • Use test accounts and data for your research
  • Follow our security testing guidelines

❌ DON'T:

  • Access, modify, or delete other users' data without permission
  • Perform attacks that could harm the Service or users (DoS, spam, etc.)
  • Publicly disclose the vulnerability before we've had a chance to fix it
  • Exploit the vulnerability for personal gain
  • Share the vulnerability with others before it's fixed
  • Violate any laws while testing

5. Safe Harbor

We support security research conducted in good faith.

If you follow these guidelines, we will not:

  • Pursue legal action against you
  • Suspend or terminate your account
  • Contact law enforcement about your research

This safe harbor applies only to security research conducted in compliance with this policy. Malicious activity, data theft, or violation of laws is not protected.

6. Our Response Process

6.1 Timeline

1

Acknowledgment (72 hours)

We'll confirm receipt of your report

2

Validation (1-2 weeks)

We'll validate the vulnerability and assess severity

3

Resolution (varies by severity)

We'll work on a fix and keep you updated

4

Disclosure

Coordinated public disclosure after the fix is deployed

6.2 Communication

We'll keep you informed throughout the process and coordinate with you on public disclosure timing. We aim for transparency while protecting our users.

7. Severity Assessment

We assess vulnerability severity using industry-standard frameworks (CVSS). Priority levels:

Critical

Remote code execution, authentication bypass, mass data breach

Fix Target: 1-7 days

High

Privilege escalation, SQL injection, XSS with serious impact

Fix Target: 1-2 weeks

Medium

CSRF, information disclosure, security misconfigurations

Fix Target: 2-4 weeks

Low

Minor information leaks, clickjacking, low-impact issues

Fix Target: 1-2 months

8. Recognition

We appreciate security researchers who help keep SpAIder safe:

  • We'll publicly thank you (with your permission) when we disclose the fix
  • We may add you to our Security Hall of Fame
  • We'll provide you with swag and recognition (when applicable)

Note: We currently do not offer a bug bounty program, but we deeply appreciate your efforts.

9. Security Best Practices

9.1 For Users

  • Use a strong, unique password for your SpAIder account
  • Enable two-factor authentication when available
  • Don't share your account credentials
  • Keep your devices and browsers up to date
  • Be cautious of phishing attempts
  • Report suspicious activity immediately

9.2 Our Security Measures

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encrypted storage for sensitive data
  • Regular security audits and penetration testing
  • Secure authentication using NextAuth.js
  • Input validation and sanitization
  • Rate limiting and DDoS protection
  • Regular security updates and patches
  • Security monitoring and incident response

10. Incident Response

In the event of a security incident:

  • We'll investigate immediately and contain the issue
  • We'll notify affected users within 72 hours (as required by GDPR)
  • We'll provide clear information about the incident and our response
  • We'll work with authorities if criminal activity is suspected
  • We'll conduct a post-incident review to prevent recurrence

11. Third-Party Security

We carefully vet our third-party providers for security:

  • OpenAI, Anthropic, Meta: Enterprise API agreements with security guarantees
  • Stripe: PCI DSS Level 1 compliant payment processing
  • Supabase: SOC 2 Type II certified database hosting
  • Vercel: Secure edge network with DDoS protection

12. Questions & Contact

Security Vulnerabilities:
security@spaider.ai

Security Questions:
security@spaider.ai

Privacy Concerns:
privacy@spaider.ai

General Support:
support@spaider.ai

Thank you for helping keep SpAIder secure! We believe in working with the security community to protect our users. If you discover a vulnerability, please report it responsibly, and we'll work with you to address it promptly.