Responsible Disclosure Policy

Last Updated: 21 April 2026

No Bug Bounty Program

We do not operate a bug bounty program and are unable to offer monetary compensation or rewards for vulnerability reports. Please do not reach out expecting payment.

Overview

We take the security of Riffle seriously. If you believe you've found a vulnerability in our platform, we appreciate you letting us know and giving us a chance to address it before making it public.

How to Report

Email us at support@riffle.studio with the following:

  • A clear description of the vulnerability
  • Steps to reproduce it
  • The potential impact, in your assessment
  • Any relevant screenshots, logs, or proof-of-concept

What We Commit To

  • Acknowledge your report within 3 business days
  • Investigate and keep you informed as we work through it
  • Fix confirmed vulnerabilities as promptly as we can
  • Not take legal action against researchers acting in good faith

What We Ask of You

  • Don't exploit the vulnerability beyond what's needed to demonstrate it
  • Don't access, modify, or delete data belonging to other users
  • Don't disclose the issue publicly until we've had a reasonable chance to fix it
  • Don't use automated scanners or perform denial-of-service testing

Scope

This policy applies to the Riffle platform at riffle.studio and app.riffle.studio. Issues with third-party services we use should be reported directly to those providers.