Safe Harbor
AnonX considers activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act (CFAA) and similar laws. We will not initiate legal action against you or ask law enforcement to investigate you if you comply strictly with this Vulnerability Disclosure Policy.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy.
Rules of Engagement
To receive Safe Harbor protection, you must adhere to the following rules while conducting your research:
- Do not access other users' data. Only interact with test accounts you own or with explicit permission from the account holder.
- Do not degrade the platform. Do not execute Denial of Service (DoS/DDoS) attacks, spam generation, or resource exhaustion attacks.
- No Social Engineering. Do not attempt phishing, vishing, or physical attacks against AnonX employees, infrastructure, or users.
- Stop and Report. If you encounter PII (Personally Identifiable Information) or sensitive user data, halt your testing immediately, purge the local data, and report the vulnerability to us.
In-Scope and Out-of-Scope Targets
In-Scope:
- anonx.app and its subdomains (e.g., beta.anonx.app)
- AnonX API endpoints
Out-of-Scope:
- Third-party services or vendors (e.g., Supabase, Cloudflare, AWS infrastructure).
- Vulnerabilities requiring physical access to a user's device.
- Missing security headers that do not lead to a direct vulnerability.
Reporting a Vulnerability
If you believe you've found a security vulnerability, please report it to us by emailing security@anonx.app.
Please include a detailed description of the vulnerability, clear steps to reproduce it, and any proof-of-concept (PoC) scripts or screenshots. Give us a reasonable amount of time to remediate the issue before making any information public.