Security Policy
Effective date: April 24, 2026
1. Our Commitment
Pixelmind Ventures takes the security of Sammy AI and its users seriously. We are committed to working with security researchers and the community to identify and address vulnerabilities responsibly. If you believe you have found a security issue in any Sammy product or service, we encourage you to disclose it to us through the process described below.
2. Scope
The following assets are in scope for responsible disclosure:
- sammyai.net and all subdomains
- The Sammy web application (authentication, API, data handling)
- The Sammy desktop application (Windows installer and Electron runtime)
- Any Pixelmind Ventures infrastructure directly supporting Sammy
- Third-party services and infrastructure not under our control (OpenAI, Anthropic, Stripe, Manus hosting)
- Denial-of-service attacks or volumetric testing
- Social engineering or phishing attacks against Sammy staff or users
- Physical security
- Vulnerabilities in end-user devices or operating systems
- Issues requiring unlikely user interaction or physical access to a victim's device
3. Disclosure Process
We follow a coordinated disclosure model. Please report vulnerabilities by emailing [email protected] with the following information:
- A clear description of the vulnerability and its potential impact
- Steps to reproduce the issue (proof-of-concept code or screenshots are helpful)
- The affected URL, endpoint, or component
- Your name or handle (optional — anonymous reports are accepted)
Please encrypt sensitive reports using our PGP key if the vulnerability involves credentials, personal data, or other sensitive information. Contact us first to request the key.
4. Response Timeline
| Milestone | Target Timeframe |
|---|---|
| Initial acknowledgment | Within 2 business days |
| Triage and severity assessment | Within 7 days |
| Status update | Every 14 days until resolved |
| Patch for critical/high severity | Within 30 days |
| Patch for medium/low severity | Within 90 days |
| Public disclosure (coordinated) | After patch is deployed |
5. Safe Harbor
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they comply with this policy. Good faith means: not accessing, modifying, or deleting user data beyond what is necessary to demonstrate the vulnerability; not disrupting production services; and reporting findings to us before public disclosure. We consider security research conducted under these terms to be authorized and will work with researchers to understand and resolve issues promptly.
6. Recognition
We do not currently operate a paid bug bounty program. However, we are grateful to researchers who help improve Sammy's security. With your permission, we will acknowledge your contribution in our release notes or a public hall of fame when a reported vulnerability is resolved.