Responsible disclosure

Submind is a personal research project, operated by one person, unfunded. If you discover a security issue I want to hear about it before anyone else does — please disclose it privately first.

How to report

Email schommer.contact@gmail.com with the subject line starting SECURITY:. Include:

• A description of the issue and the affected surface (URL, endpoint, parameter).
• Steps to reproduce, or a proof-of-concept.
• The impact you believe the issue could have.
• Any suggested fix, if you have one.

Please do not include exploitation against other users or denial-of-service tests as part of your report. Read-level verification of an issue against your own request is fine; anything that touches other users' data or degrades service for them is out of scope.

Response SLA

I will acknowledge a report within 7 days of receiving it, and I will let you know my assessment of severity and a rough remediation timeline at the same time. For critical issues I will usually patch within a week; for lower-severity issues it may take longer and I'll say so.

No bug bounty

Submind is a solo, unfunded project. I cannot offer a bug bounty. What I can offer is recognition: with your permission I will credit you in the project README (and in the commit message of the fix) for the discovery. If you prefer to remain anonymous, that is fine too — just tell me at the time of disclosure.

Safe harbor

Good-faith security research that respects the boundaries above is welcome. I will not pursue legal action against researchers who follow this policy, who do not access or modify data belonging to other users, and who give me a reasonable window to respond before any public disclosure. If you are unsure whether a planned test is in-scope, ask me first by email.