Security at Fanhaze
We take the security of our creators and fans seriously. If you believe you've found a vulnerability, we want to hear from you — and we'll work with you to confirm and fix it quickly.
How to report
Email security@fanhaze.com with enough detail for us to reproduce the issue. Please include:
- a clear description of the vulnerability and its impact,
- step-by-step instructions or a proof-of-concept to reproduce it,
- the affected URL, endpoint, or component, and
- your name or handle if you'd like to be credited.
Our machine-readable contact details are published at /.well-known/security.txt (RFC 9116).
Our commitment to you (safe harbor)
If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research, and we'll treat your report confidentially. We'll acknowledge your report, keep you updated as we investigate, and let you know when the issue is resolved. With your permission, we're glad to publicly credit you once a fix has shipped.
Please do
- Report what you find as soon as possible, and give us reasonable time to fix it before disclosing.
- Only test against your own account(s) and data.
- Keep the details confidential until we've had a chance to remediate.
Please don't
- Access, modify, or delete other people's data, or degrade the service for others.
- Run denial-of-service tests, send spam, or use automated high-volume scanning.
- Use social engineering, phishing, or physical attacks against our people or facilities.
- Publicly disclose an issue, or hold it for ransom, before we've confirmed it's resolved.
Scope
Our web platform and API are in scope. Generally out of scope: reports with no realistic security impact (e.g. missing best-practice headers without a demonstrated exploit), denial-of-service, spam or rate-limit volume tests, and issues requiring a rooted/jailbroken device or an already-compromised account.
Response targets
We aim to acknowledge new reports promptly and to prioritize by severity — critical issues affecting user safety or data are actioned immediately. We'll keep you informed through to a fix.
Looking to report abusive content or appeal a moderation decision instead? See the Trust Center.