sablenetwork
Security

Responsible disclosure.

Found a weakness in how we encrypt, route, store, or sign things? Tell us. We'll handle your report the way we'd want one of ours handled.

How to report

Email security@buildsable.com with enough to reproduce it: the endpoint or page, the steps, and what an attacker could do. If the details are sensitive, say so first and we'll send a key to encrypt them.

Hold off on a public issue, a post, or telling third parties until we've shipped a fix and agreed a disclosure date with you.

Our commitment

  • We'll get back to you within three working days.
  • You'll have our read on the issue, and a rough fix timeline, within ten.
  • We'll keep you in the loop through the fix, and credit you by name if you want it.
  • Safe harbor: research done in good faith under this policy won't earn you a legal threat from us.

In scope

  • The API gateway at api.buildsable.com — auth, key handling, the egress/encryption path, receipts, rate limiting, SSRF protections.
  • This website and dashboard at buildsable.com.
  • Anything that could expose prompt or completion content, leak metadata across accounts, or forge a signed receipt.

Out of scope

  • Volumetric DDoS, brute-force without a logic flaw, and social-engineering of our team or vendors.
  • Reports from automated scanners with no demonstrated impact.
  • Best-practice nitpicks with no security consequence (e.g. a missing header that doesn't lead to a concrete attack).
  • Vulnerabilities in upstream model providers — report those to the provider.

Please don't

  • Access, modify, or delete data that isn't yours.
  • Degrade the service for others or run high-volume automated testing against production.
  • Use a finding for anything beyond demonstrating it.