Log in Run a blind validation
Security · Responsible Disclosure

Responsible Disclosure

Updated .

Simulacra welcomes good-faith reports of security vulnerabilities that could affect the confidentiality, integrity, or availability of our website, Studio, Headless API, or related systems.

By design, Simulacra has no standing access to customer research data. The Synthetic Data Studio runs as isolated single-tenant in-memory containers that exist only for the active session and are deleted when the session ends. The Headless API encrypts customer artifacts at rest and in transit, with no shared model and no cross-tenant access path. Valid reports of routes to customer data are eligible for a bounty at our sole discretion — see Bounty program.

How to report

Email security@simulacra-data.com with a concise description, affected URL or endpoint, reproduction steps, impact, and any relevant screenshots or request IDs.

Security-contact metadata is published at /.well-known/security.txt. For sensitive details, encrypt with our PGP key — fingerprint 44D09406E884B759FCA5667EA717F108B5B834C0, available at /.well-known/security-pgp.asc.

Safe-harbor expectations

We will not pursue legal action for good-faith research that follows this policy, avoids privacy harm, avoids service disruption, and gives Simulacra a reasonable opportunity to investigate and remediate before public disclosure.

Rules of engagement

  • Do not access, copy, modify, delete, or exfiltrate customer data. By design this shouldn't be possible; if you find a path, stop immediately, do not extract or retain data, and report the issue with non-sensitive proof only (request IDs, redacted screenshots, metadata, or a minimal synthetic-data reproduction). Valid reports may qualify under our Bounty program.
  • Do not perform denial-of-service, stress, load, spam, phishing, social-engineering, or physical attacks.
  • Do not use scanners or automated testing at a rate that could degrade service.
  • Do not attempt persistence, lateral movement, privilege escalation beyond what is necessary to demonstrate impact, or access to employee systems.
  • Stop testing and report promptly if you encounter customer data, secrets, tokens, or sensitive internal information.

Scope

In scope: public Simulacra website properties, the Synthetic Data Studio, the Headless API, and related authentication or documentation surfaces that are owned or operated by Simulacra. Third-party services are out of scope except where a vulnerability clearly affects Simulacra's configuration or customer data handling.

Response process

We aim to acknowledge credible reports within two business days, triage severity, keep the reporter updated when practical, and coordinate disclosure timing based on remediation risk.

Bounty program

Simulacra does not operate a general bug bounty program. We do offer discretionary bounties for valid reports of vulnerabilities that would let an unauthorized party access customer research data on the Studio or Headless API.

Eligibility

  • The report describes a reproducible vulnerability in an in-scope surface (see Scope) operated by Simulacra.
  • You followed the Rules of engagement and Safe-harbor expectations on this page.
  • The report is original, not a duplicate of a known issue, and is not derived from confidential information.
  • The report contains enough detail for Simulacra to reproduce and remediate the issue.

Exclusions

  • Theoretical, speculative, or informational issues; missing best-practice headers; version-disclosure-only findings.
  • Findings that required any exfiltration, copying, or retention of customer research data. Customer-data findings must be demonstrated with non-sensitive proof only: request IDs, redacted screenshots, metadata, or a minimal synthetic-data reproduction.
  • Findings obtained through other activity prohibited by the Rules of engagement: sustained denial-of-service, social engineering, physical or facility access, or access to employee systems.
  • Issues in third-party services or out-of-scope surfaces.
  • Reports from minors, sanctioned persons or jurisdictions, current or former Simulacra personnel and contractors, or anyone Simulacra is legally barred from paying.

Determination and payment

Eligibility, validity, severity, and bounty amount are determined by Simulacra at its sole discretion based on the demonstrated impact, novelty, and quality of the report. This program is a goodwill initiative; it is not a contract and does not create any entitlement to payment. Simulacra may modify or discontinue the program at any time without notice. Where a bounty is paid, the reporter is responsible for any taxes, withholdings, and reporting obligations under applicable law, and may be asked to complete tax or sanctions-screening documentation as a condition of payment.

What to include

  • Affected domain, route, endpoint, or product surface.
  • Exact reproduction steps and expected versus observed behavior.
  • Potential impact and whether any data, secrets, or accounts were exposed.
  • Your contact information and disclosure preferences.