Trust and AI
For founder IP, AI data handling, access boundaries, and what the standard environment is not designed for, see Trust, AI, and Founder IP.
Our posture
- All traffic is served over TLS, with HTTP redirected to HTTPS.
- Sessions are managed with secure HTTP-only cookies. Passwords are never stored in plaintext.
- Server-side access uses minimum-privilege credentials. Admin and debug surfaces are gated by role and are not exposed in public navigation.
- Share links are unguessable tokens. Owners and admins can revoke any link they created, immediately and irreversibly.
- We rate-limit public endpoints and refuse to leak whether a given share token, account, or invite code exists when the caller is not authorized to know.
Reporting a vulnerability
If you have found something that looks like a security issue, please email tfox@raincrowstudios.com. Include enough detail for us to reproduce the issue — ideally the URL, a description of the unexpected behavior, and a minimal proof of concept.
We ask that you:
- Give us a reasonable opportunity to investigate and respond before publishing details.
- Avoid actions that would degrade service for other users (denial-of-service testing, automated scanning, social engineering of staff or partners).
- Avoid accessing or modifying data that does not belong to you, beyond the minimum needed to demonstrate the issue.
We welcome good-faith vulnerability reports. Please avoid accessing, modifying, deleting, or exfiltrating data, and do not disrupt the service. We will review reports submitted in good faith.
What is not in scope
- Findings from automated scanners without a working exploit.
- Missing security headers on third-party assets we do not control.
- Self-XSS that requires the user to paste content into the browser console.
- Reports that depend on outdated browsers or non-standard configurations.