Security

Security Disclosure Policy

Last updated: July 6, 2026

Manicode Worldwide, Inc., doing business as Manicode Security ("we," "us," or "our"), welcomes reports from security researchers who help keep our products and users safe. This policy explains how to report a vulnerability responsibly, what is in scope, and what you can expect from us in return. We are committed to working with the security community in good faith and to resolving valid issues promptly.

How to report

Email your report to security@manicode.com. A machine-readable version of these contact details is published at /.well-known/security.txt in line with RFC 9116.

To help us triage quickly, please include:

  • The affected asset or URL and the type of issue.
  • Clear, reproducible steps, including any proof-of-concept, request/response pairs, or screenshots.
  • The potential impact as you understand it.
  • How we can reach you for follow-up questions.

Scope

This policy covers the public assets we operate, including:

  • manicode.ai — this marketing site.
  • docs.manicode.ai — our documentation.

If you are unsure whether something is in scope, email us before testing and we will help you scope it.

Safe harbor

We consider security research and vulnerability disclosure conducted in good faith and in accordance with this policy to be authorized. We will not pursue or support legal action against you for such research, and we will work with you to understand and resolve the issue quickly. If a third party brings a claim against you for activity that complied with this policy, we will make it known that your actions were authorized. This safe harbor does not apply to activity that is malicious, that violates this policy, or that breaks the law.

Guidelines for good-faith research

To stay within this policy, please:

  • Give us a reasonable opportunity to fix an issue before disclosing it publicly, and coordinate any disclosure with us.
  • Only interact with accounts you own or have explicit permission to test.
  • Avoid privacy violations, data destruction, and any degradation of our services.
  • Stop testing and report immediately if you encounter personal or confidential data, and do not access, store, or share it beyond what is needed to demonstrate the issue.

Out of scope

The following activities and report types are not covered by this policy:

  • Denial-of-service, volumetric, or resource-exhaustion attacks.
  • Social engineering, phishing, or physical attacks against our staff, users, or facilities.
  • Automated scanning that generates significant traffic or noise.
  • Reports from automated tools without a demonstrated, exploitable impact.
  • Best-practice suggestions with no security impact (for example, missing headers with no proof of exploitability).

What to expect

  • We will acknowledge your report within five business days.
  • We will work to validate the issue and keep you informed of our progress.
  • We will let you know when the issue is resolved, and we are happy to credit you for the discovery if you would like.

We do not currently operate a paid bug-bounty program, but we genuinely appreciate every good-faith report.

Changes to this policy

We may update this Security Disclosure Policy from time to time. When we do, we will revise the "Last updated" date above.

Contact us

For anything related to security, email security@manicode.com.