Vulnerability Disclosure
How to report security vulnerabilities to MyClaude, what to include, and what to expect in return.
Report security vulnerabilities to security@myclaude.sh. We respond within 48 hours.
MyClaude is a pre-launch marketplace. We take security reports seriously and treat all good-faith researchers with respect.
How to Report
Send an email to security@myclaude.sh with the subject line: [SECURITY] Brief description.
Do not open a public GitHub issue for security vulnerabilities. Do not post vulnerability details publicly before we have had a chance to respond and remediate.
What to Include
The more detail you provide, the faster we can triage and fix the issue.
| Field | Description |
|---|---|
| Summary | One-sentence description of the vulnerability |
| Severity estimate | Critical / High / Medium / Low (your assessment) |
| Affected component | URL, API route, feature, or system |
| Steps to reproduce | Numbered step-by-step reproduction |
| Proof of concept | Screenshot, video, or code demonstrating impact |
| Impact | What can an attacker achieve? What data is at risk? |
| Suggested fix | Optional — your recommendations |
If you are unsure whether something is a vulnerability, send it anyway. We would rather receive a false positive than miss a real issue.
Response Timeline
| Stage | Target |
|---|---|
| Initial acknowledgment | Within 48 hours |
| Severity confirmation | Within 5 business days |
| Fix shipped (critical) | Within 7 days of confirmation |
| Fix shipped (high) | Within 14 days of confirmation |
| Fix shipped (medium/low) | Within 30 days of confirmation |
| Public disclosure coordination | Agreed with reporter |
We will keep you informed at each stage. If you have not heard from us within 48 hours, send a follow-up — our spam filter may have caught your original message.
Scope
The following systems are in scope for vulnerability reports:
| System | Examples |
|---|---|
| Web application | myclaude.sh and all subdomains |
| API routes | /api/stripe/, /api/products/, /api/users/ |
| Authentication | Login, token handling, session management |
| Authorization | Access control, data isolation between users |
| File access | Paid product download controls, signed URL bypass |
| Payment flow | Stripe checkout, webhook verification |
| CLI | @myclaude-cli/cli npm package |
Out of Scope
The following are not eligible for reports:
- Vulnerabilities in third-party services (Firebase, Stripe, Vercel) — report those directly to the respective vendor
- Social engineering attacks against MyClaude team members
- Physical attacks against infrastructure
- Denial of service (DoS/DDoS) attacks
- Reports that require unlikely user interaction (e.g., user must already be an admin)
- Automated scanner output without confirmed impact
- Missing security headers without demonstrated exploit
- Rate limiting on non-sensitive endpoints
Safe Harbor
MyClaude supports responsible disclosure. If you report a vulnerability in good faith following these guidelines:
- We will not pursue legal action against you
- We will not refer you to law enforcement
- We will treat your report confidentially until an agreed disclosure date
- We will credit you in our changelog if you choose to be named
Good faith means: you did not access, modify, or exfiltrate data beyond what was needed to demonstrate the vulnerability; you did not perform destructive testing; you did not target other users' accounts.
Related pages
- Security Model — full security architecture
- Trust & Safety — content enforcement
- Content Policy — prohibited content and enforcement
Content Reporting
How to report products, reviews, and users on MyClaude: the report dialog, what happens after you report, rate limits, quarantine, and appeals.
Trust & Safety
How MyClaude enforces content policies, automated scanning, MCS certification, and dispute resolution to maintain marketplace integrity.