Early access · Paid API credit is live. New accounts still get free starter credit; provider payouts are coming soon.

Home · legal · security

Legal

Report a security issue

Prompt privacy is Umbra's whole reason to exist, so security reports matter to us. If you have found a vulnerability, here is how to disclose it responsibly.

Draft, pending legal review. This is a good-faith disclosure policy written to reflect how we handle reports today. It has not been reviewed by counsel and is not a contract. Nothing here waives any right, and we make no binding legal promise. Questions? Contact us.

How to report

Email [email protected] with SECURITY in the subject. We do not have a dedicated security inbox yet, so this keeps reports routed correctly. Please include:

Scope

In scope are our public surfaces:

Out of scope: third-party services we depend on (report those to their own programs), the underlying model weights hosted on Hugging Face, and reports that boil down to missing best-practice hardening with no demonstrable impact.

Please test in good faith

When you research in good faith and follow this policy, we will not pursue action against you for that research. That means: only test accounts and assets you own or are authorized to use; do not access, modify, or exfiltrate other people's data; do not degrade the service or run denial-of-service tests; stop as soon as you have a proof of concept; and give us a reasonable chance to fix the issue before disclosing it publicly. Do not use social engineering, physical attacks, or anything unlawful.

What to expect

We will acknowledge valid reports and work to remediate confirmed issues as quickly as our small alpha team can. We do not run a paid bug bounty at this time, so no monetary reward is promised. We are grateful for good-faith reports and are happy to credit you once an issue is resolved, if you would like.

Found something? Email [email protected] with subject SECURITY. Our machine-readable policy lives at /.well-known/security.txt.