Home · legal · security
Report a security issue
Prompt privacy is Umbra's whole reason to exist, so security reports matter to us. If you have found a vulnerability, here is how to disclose it responsibly.
How to report
Email [email protected] with SECURITY in the subject. We do not have a dedicated security inbox yet, so this keeps reports routed correctly. Please include:
- a clear description of the issue and its impact;
- the affected endpoint, page, or component;
- steps to reproduce, and a proof of concept if you have one;
- any information needed for us to contact you back.
Scope
In scope are our public surfaces:
tryumbra.dev(the website and console);api.tryumbra.dev(the inference API);- the Umbra provider app that runs on Apple Silicon Macs.
Out of scope: third-party services we depend on (report those to their own programs), the underlying model weights hosted on Hugging Face, and reports that boil down to missing best-practice hardening with no demonstrable impact.
Please test in good faith
When you research in good faith and follow this policy, we will not pursue action against you for that research. That means: only test accounts and assets you own or are authorized to use; do not access, modify, or exfiltrate other people's data; do not degrade the service or run denial-of-service tests; stop as soon as you have a proof of concept; and give us a reasonable chance to fix the issue before disclosing it publicly. Do not use social engineering, physical attacks, or anything unlawful.
What to expect
We will acknowledge valid reports and work to remediate confirmed issues as quickly as our small alpha team can. We do not run a paid bug bounty at this time, so no monetary reward is promised. We are grateful for good-faith reports and are happy to credit you once an issue is resolved, if you would like.
SECURITY. Our machine-readable policy lives at /.well-known/security.txt.