Security
Responsible disclosure.
Found a weakness in how we encrypt, route, store, or sign things? Tell us. We'll handle your report the way we'd want one of ours handled.
How to report
Email security@buildsable.com with enough to reproduce it: the endpoint or page, the steps, and what an attacker could do. If the details are sensitive, say so first and we'll send a key to encrypt them.
Hold off on a public issue, a post, or telling third parties until we've shipped a fix and agreed a disclosure date with you.
Our commitment
- We'll get back to you within three working days.
- You'll have our read on the issue, and a rough fix timeline, within ten.
- We'll keep you in the loop through the fix, and credit you by name if you want it.
- Safe harbor: research done in good faith under this policy won't earn you a legal threat from us.
In scope
- The API gateway at
api.buildsable.com— auth, key handling, the egress/encryption path, receipts, rate limiting, SSRF protections. - This website and dashboard at
buildsable.com. - Anything that could expose prompt or completion content, leak metadata across accounts, or forge a signed receipt.
Out of scope
- Volumetric DDoS, brute-force without a logic flaw, and social-engineering of our team or vendors.
- Reports from automated scanners with no demonstrated impact.
- Best-practice nitpicks with no security consequence (e.g. a missing header that doesn't lead to a concrete attack).
- Vulnerabilities in upstream model providers — report those to the provider.
Please don't
- Access, modify, or delete data that isn't yours.
- Degrade the service for others or run high-volume automated testing against production.
- Use a finding for anything beyond demonstrating it.