セキュリティの問題を報告する方法。

This policy covers security vulnerabilities in the Prism service at prismlens.net, including the web application, API, and any mobile clients we release. It does not cover third-party services (Supabase, Vercel, Anthropic, OpenAI, Stripe, Resend) — report issues in those directly to the vendor.

·Authentication and authorisation flaws (access control bypasses, session handling, privilege escalation).

·Data exposure or leakage (other users’ entries, embeddings, analysis, or personal data visible without authorisation).

·Injection flaws (SQL, template, command, prompt injection that leaks data across users).

·Remote code execution.

·Server-side request forgery (SSRF) or other infrastructure risks.

·Logic flaws that allow free access to paid features, bypass of rate limits, or financial loss.

·Supply-chain risks specific to Prism’s deployment.

·Third-party issues in Supabase, Vercel, Anthropic, OpenAI, Stripe, Resend — report to the vendor.

·Denial of service, volumetric attacks, or physical attacks.

·Social-engineering attacks against Prism staff.

·Self-XSS requiring the user to paste code into their own browser.

·Missing security headers with no demonstrable impact.

·Clickjacking on pages with no sensitive action.

·Issues requiring an already-compromised device or root/jailbreak.

·CSRF on endpoints with no security impact.

·Rate limiting / brute force without credential-valid impact.

·Reports generated entirely by automated scanners with no manual verification.

メール security@prismlens.net 以下を含めて:

·A clear description of the issue.

·Steps to reproduce, or a proof-of-concept.

·Your assessment of impact (who is affected, how).

·Your contact details (optional) if you want attribution or a reply.

·Acknowledge receipt within 3 business days.

·Triage and respond with our initial assessment within 7 business days.

·Keep you informed through remediation.

·Not take legal action against good-faith research conducted within this policy, provided you avoid accessing or exfiltrating other users’ data beyond the minimum needed to demonstrate the issue, do not degrade service availability, give us a reasonable window (default 90 days) before public disclosure, and comply with applicable law.

·Don’t test against real users’ data. Create a test account.

·Don’t use social engineering against Prism’s founders, staff, or users.

·Don’t exfiltrate data beyond what’s needed to prove the issue.

·Don’t publicly disclose before we’ve had a reasonable window to respond and remediate.

·Report in English or Arabic.

Prismは現在キャッシュバウンティプログラムを運営していません。重大な問題については、(あなたの許可があれば)公開で認め、チェンジログエントリであなたに費用を支払い、利用可能な場合はPrismスワッグを発行します。私たちの優先順位は修復速度であり、バウンティ予算ではありません — 成長するにつれて再検討します。

私たちが提供できる最大限の範囲で、このポリシーに基づくあなたの誠実な研究:

·Is authorised by Prism and does not violate the Prism Terms of Service.

·Will not be grounds for civil or criminal action by Prism under applicable computer-misuse laws.

·Will not result in a complaint to your employer, regulator, or law enforcement.

このセーフハーバーは私たちのコミットメントであり、第三者（決済処理業者、インフラストラクチャプロバイダー）が同じ見解を持つことを保証するものではありません。疑問がある場合は、テストする前に私たちにお問い合わせください。

·Security reports: security@prismlens.net

·General support: support@prismlens.net

·Privacy / DPO: privacy@prismlens.net · dpo@prismlens.net