Security & Responsible Disclosure

If you believe you have discovered a security vulnerability in img.pro, please email security@img.pro with as much detail as you can:

• A clear description of the issue and the affected endpoint or feature.
• Steps to reproduce (HTTP requests, screenshots, a minimal proof-of-concept where relevant).
• The impact you observed and any speculation about wider impact.
• Your name or handle, if you'd like credit in our acknowledgments.

We do not currently operate a paid bug bounty, but we acknowledge valid reports and will credit researchers (with their consent) in our release notes.

We will not pursue legal action against researchers who, in good faith and consistent with this policy:

• Test only on accounts they own or have explicit permission to test on.
• Avoid privacy violations, destruction of data, and degradation of service to other users.
• Do not exfiltrate data beyond what is minimally necessary to demonstrate the issue, and delete any such data once reported.
• Give us a reasonable opportunity to remediate before public disclosure.

In scope:

• img.pro and all *.img.pro subdomains.
• API endpoints under api.img.pro.
• Image-transform endpoints under src.img.pro.

Out of scope:

• Denial-of-service or volumetric attacks of any kind.
• Social-engineering of Moshi Inc. employees, contractors, or customers.
• Physical access attacks on infrastructure operated by our subprocessors.
• Issues in third-party services we do not control (please report those upstream).
• Reports based solely on automated scanner output without demonstrated impact.

We aim to:

• Acknowledge new reports within 3 business days.
• Provide a triage assessment within 10 business days.
• Communicate substantive progress every 14 days until the issue is resolved or determined to be out of scope.

This page is referenced from /.well-known/security.txt.