MediaCreatorsMEDIACREATORS

Responsible Disclosure Policy

MediaCreators
Last updated: April 27, 2026

The security of our platform and our users' data is a top priority. We welcome reports from security researchers and the broader community. If you believe you have found a vulnerability in any MediaCreators-owned system, we encourage you to let us know responsibly.

How to Report

Send your report to info@mediacreators.io with the subject line [Security]. Please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Affected URL, endpoint, or component
  • Any proof-of-concept code, screenshots, or recordings
  • Your contact information (optional — anonymous reports accepted)

Encrypt sensitive reports using our public key available on request.

Scope

In scope

  • mediacreators.io and all subdomains
  • app.mediacreators.io — the creator platform
  • api.mediacreators.io — the public API

Out of scope

  • Denial of service (DoS / DDoS) attacks
  • Social engineering or phishing against MediaCreators staff or users
  • Physical security
  • Vulnerabilities in third-party services or libraries not directly controlled by us
  • Clickjacking on pages without sensitive actions
  • Missing security headers without a demonstrated exploitable impact
  • Reports generated solely by automated scanners without manual validation
  • Issues already known to us or previously reported by another researcher

Testing Guidelines

When researching potential vulnerabilities, you must:

  • Only test against your own accounts. Never target other users' data or accounts.
  • Avoid automated scanners against production systems — they can degrade service for real users. Request permission before running any automated tooling.
  • Do not exfiltrate, modify, or delete user data. Stop testing immediately if you inadvertently access data that is not yours and report it.
  • Do not disrupt production services. Any testing that risks availability is out of scope.
  • Do not perform actions beyond what is necessary to demonstrate the vulnerability.

If you need a dedicated test environment or additional access to conduct responsible research, contact us first and we will do our best to accommodate you.

Disclosure Guidelines

We follow a coordinated disclosure model:

  • Do not disclose publicly until we have had a reasonable opportunity to investigate and remediate — we ask for 90 days from the date of your initial report.
  • If you intend to present findings at a conference or publish a write-up, please send us a draft at least 30 days before the planned publication date.
  • Do not include personal data of MediaCreators users or employees in any public disclosure.
  • If a fix requires more than 90 days due to complexity, we will notify you with a revised timeline and the reason for the extension.

What to Expect from Us

  • Acknowledgment within 3 business days of receiving your report.
  • Initial evaluation within 10 business days — we will confirm whether we can reproduce the issue and assess its severity.
  • Regular updates throughout the remediation process.
  • Target resolution within 90 days for confirmed vulnerabilities.
  • Public credit in our release notes or security acknowledgements page if you wish to be recognized — just let us know.

We do not currently operate a paid bug bounty program, but we genuinely appreciate responsible disclosure and will recognize every valid report.

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who:

  • Discover and report vulnerabilities in good faith
  • Avoid violating the privacy of users or disrupting our services
  • Follow the testing and disclosure guidelines above
  • Do not exploit the vulnerability beyond the minimum necessary to demonstrate it

If you act in good faith, we will work with you rather than against you. This safe harbor does not apply to activities that fall outside the scope of this policy.

This policy is inspired by industry best practices and the disclose.io framework.