LEGAL

Responsible Disclosure

Thabit welcomes security research. If you believe you’ve discovered a vulnerability affecting Thabit or our users, please report it through the process below. In exchange, we commit to working with you in good faith and to not pursue legal action against researchers acting in compliance with this policy.

LAST UPDATED · APRIL 17, 2026

How to Report

Email security@thabit.ai with the subject line [SECURITY] and a description of the issue. Include:

  • The URL, endpoint, or component affected;
  • Steps to reproduce (include HTTP requests, payloads, screenshots as relevant);
  • Potential impact of the vulnerability;
  • Your PGP key if you wish to receive encrypted replies (ours is fingerprinted at the bottom of this page).

For critical issues, we respond within 24 hours. For all other reports, we acknowledge within 5 business days.

Scope

In scope:

  • thabit.ai and all subdomains
  • The api.thabit.ai API endpoints (when live)
  • The app.thabit.ai application (when live)
  • The Thabit single-file HTML product at thabit.ai/thabit.html when hosted by Thabit

Out of scope:

  • Third-party services we don’t operate (Stripe, AWS, Anthropic, etc.), report those to the respective providers;
  • Denial-of-service attacks, load tests, or volumetric probes;
  • Physical security of Thabit facilities or personnel;
  • Social engineering of Thabit employees;
  • Outdated browser / operating system issues;
  • Missing security headers that are not directly exploitable;
  • Issues in unrelated properties (personal blogs, etc.) of Thabit employees.

Safe Harbor

Thabit considers security research and vulnerability disclosure activities conducted in accordance with this policy to be authorized. As long as you:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of service;
  • Only interact with accounts you own or with explicit permission of the account holder;
  • Do not exfiltrate any data beyond what is minimally necessary to demonstrate the issue;
  • Give us reasonable time to fix the issue before disclosing it publicly;

we will:

  • Not pursue legal action against you under the Computer Fraud and Abuse Act or anti-circumvention provisions of the DMCA;
  • Consider your activity authorized under Thabit’s Terms of Service;
  • Work with you publicly to clarify any issues if legal action is initiated by a third party against you for your research.

If in doubt about whether an activity is covered, contact us in advance.

Response Timeline

SeverityFirst responseFix target
Critical24 hours72 hours
High48 hours14 days
Medium5 business days60 days
Low5 business days90 days

Recognition

With your permission, we list researchers who have responsibly disclosed valid issues on this page. We don’t currently operate a paid bug bounty, but we may provide a recognition gift for qualifying reports and we can provide a written attestation suitable for portfolios or employment references.

Hall of Fame

No reports to acknowledge yet. Yours could be first.