Last updated 2026-05-06

Security disclosures.

If you find a security issue in Session™ Vault, here's where to send it. We read every report and we don't shoot the messenger.

Reporting a vulnerability

Email

Send your report to [email protected]. We respond within 24 hours during the work week, 72 hours on weekends. Encrypt with PGP if you want to (key fingerprint coming soon, leave a note in your first email and we'll exchange).

What to include

A clear description of the issue + the affected feature or URL.
Steps to reproduce (a working proof of concept is ideal).
The impact, in plain terms (data exposure, account takeover, denial of service, etc.).
Your contact info + whether you want public credit if we publish a fix.

What's in scope

The following surfaces and code are in scope for security reports:

vault.session.am (the Session™ Vault app)
session.am (marketing site)
The Session™ Vault iOS app (TestFlight or App Store builds)
Any endpoint under /api/ on the above hosts
Server-side data handling, encryption, authentication, sharing, share-link recipients, AI compute paths

What's out of scope

Third-party services we depend on (Backblaze B2, Stripe, Resend, Cloudflare). Report those to the respective vendor.
Spam or phishing reports unrelated to our infrastructure.
Social engineering attacks against our team or customers.
Denial-of-service tests that affect production. If you suspect a DoS issue, describe it and we'll reproduce in a controlled environment.

Our promise

If you report a real issue in good faith and follow this policy, we will not pursue legal action against you. We will work with you on a reasonable disclosure timeline (typical: 7 days to triage, up to 90 days to remediate before public disclosure). We credit the reporter unless you ask us not to.

Researcher rewards

A formal paid bug bounty is on our roadmap once Session™ Vault has a paying-user base that justifies the budget. Today, on top of public credit, we offer:

One year of Pro tier on Session™ Vault for valid reports of medium severity or higher.
One Edition 001 Session Cards deck (limited, 500-unit run) for high or critical severity reports, while supplies last.

For privacy details (encryption model, AI handling, data export, audit log), see our privacy page. For the legal terms governing your account, see terms.