Responsible Disclosure

1. No authorization to test

Nothing in this Policy authorizes any person to:

• Access systems, accounts, data, or assets they do not lawfully control;
• Conduct vulnerability testing, scanning, probing, exploitation, or any related activity against the SchemaLabs Service;
• Attempt to bypass, evade, or interfere with SchemaLabs' security controls;
• Cause, threaten, or risk degradation of the Service, loss of data, or harm to any user.

Any such activity is unauthorized and may violate the Use Policy, the Terms of Service, the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030), the U.K. Computer Misuse Act 1990, equivalent anti-hacking statutes in other jurisdictions, and applicable contract law.

Advance written authorization from SchemaLabs is required before any testing activity. Submitting a vulnerability report under this Policy does not, by itself, constitute or imply such authorization, retroactively or otherwise.

2. How to report a vulnerability

If you become aware of a potential vulnerability in the SchemaLabs Service through lawful means (for example, while using your own account in the ordinary course, or observing publicly accessible behavior), you may submit a report to [email protected] with:

• A clear description of the issue
• The asset or behavior observed
• Reproduction steps, if known, using only your own account or publicly accessible resources
• The potential impact you believe it may have
• Your name and how you would like to be credited (or "anonymous")

SchemaLabs reviews submissions at its sole discretion and may follow up for clarification. Acknowledgment, triage, and resolution timelines are not guaranteed.

3. What's out of scope

The following activities are explicitly not authorized, by this Policy or otherwise:

• Denial-of-service attacks (volumetric or application-layer).
• Social engineering of SchemaLabs employees, contractors, customers, or partners.
• Physical attacks on SchemaLabs facilities or personnel.
• Phishing of any kind.
• Testing on Customer Data belonging to any party other than yourself.
• Vulnerabilities in third-party services (GCP, AWS, Stripe, and other Sub-Processors). Report those directly to the relevant vendor.
• BYOL Endpoint vulnerabilities. These belong to the third-party LLM provider, not SchemaLabs.
• Already-known issues previously reported through this process or publicly disclosed.
• Self-XSS, clickjacking on non-sensitive pages, missing security headers without demonstrated exploit, missing rate limiting on non-sensitive endpoints, software version disclosure, or other low-severity informational issues, unless chained into a higher-severity vulnerability.

4. What SchemaLabs may do

SchemaLabs has no obligation to respond to any submission. Where SchemaLabs determines, in its sole discretion, that a submission was made under this Policy and that the submitter has not engaged in unauthorized testing or in any conduct prohibited under Section 3 or applicable law, SchemaLabs may:

• Decline to bring civil action against the submitter under the Terms of Service or Use Policy in respect of the specific conduct that produced the submission;
• Decline to refer the submitter's activity to law enforcement in respect of that conduct;
• Decline to bring or support claims against the submitter under the U.S. Computer Fraud and Abuse Act, the U.K. Computer Misuse Act, or analogous anti-hacking statutes in respect of that conduct;
• Engage with the submitter to understand and address the issue;
• Publicly acknowledge the submitter's contribution, with the submitter's consent.

The actions listed above are forbearances offered at SchemaLabs' sole discretion. They are not, and shall not be construed as, a license, authorization, waiver, release, covenant not to sue, or any other right of action by the submitter. SchemaLabs reserves all rights and remedies under contract and applicable law.

5. Coordinated disclosure

If you wish to publish details of a vulnerability you reported under this Policy:

• Coordinate the disclosure date with SchemaLabs in advance;
• Wait at least ninety (90) days from the date of your report, or until SchemaLabs confirms the vulnerability is fully remediated, whichever is later;
• Where remediation reasonably requires additional time, SchemaLabs may request an extension of the embargo, which the submitter shall not unreasonably refuse;
• Allow SchemaLabs the opportunity to notify affected customers and any relevant authorities;
• Do not include working exploit code that could be used against customers still vulnerable;
• Credit SchemaLabs accurately and link to this Policy.

SchemaLabs will operate in good faith to provide consent for publication once a vulnerability is fully remediated and affected customers are protected, consistent with the bullets above.

6. Recognition

SchemaLabs may, with the submitter's consent, publicly acknowledge contributions on the Hall of Fame or in security advisories. SchemaLabs does not currently operate a paid bug bounty program.

7. Not authorized

For the avoidance of doubt, unauthorized testing, probing, scanning, exploitation, reverse engineering, or any related activity against the SchemaLabs Service is a breach of the Use Policy and the Terms of Service and may also constitute a violation of the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030), the U.K. Computer Misuse Act 1990, equivalent anti-hacking statutes, and applicable contract law. SchemaLabs reserves all rights and remedies, including civil action, criminal referral, account suspension or termination, and injunctive relief.

8. Legal

This Policy is published in good faith but does not constitute a contract or any right of action by the submitter. SchemaLabs reserves the right to update this Policy at any time. The current version applies to any submission made on or after its publication date.

If you have any doubt about whether your planned activity is authorized, contact [email protected] before acting.

9. Contact

SchemaLabs, Inc.

• Security: [email protected]