Security

Report a Security Vulnerability

If you believe you found a vulnerability in ShotMind, report it by email so we can investigate and fix it responsibly.

Email security report

What to include

Affected page, API endpoint, desktop app version, or public file
Steps to reproduce the issue
Expected result and actual result
Potential impact and whether another user's data may be affected
Your account email if the issue involves your own account
Screenshots, logs, or request samples with secrets and personal data redacted

Good-faith testing boundaries

We welcome careful reports, but testing must stay within these limits:

Do not access, modify, delete, or export data that is not yours
Do not run denial-of-service, spam, brute-force, or high-volume automated tests
Do not use social engineering, phishing, physical attacks, or attacks against third-party providers
Do not publicly disclose details before we have acknowledged the report and had a reasonable chance to respond

Response timing

1We aim to acknowledge security reports within 3 business days.
2For validated high-risk issues, we aim to provide a triage update or mitigation plan within 7 business days.
3Critical issues that could expose user data, payment state, account access, or production credentials are handled first.

Current scope

In scope: shotmind.net, app/API/Admin endpoints, billing and account flows, the macOS desktop distribution path, and public download infrastructure. The browser extension is not part of the current public launch scope unless it is explicitly re-enabled.