Scope
Good-faith reports may include authentication issues, authorization bypass, sensitive data exposure, injection flaws, business logic vulnerabilities or weaknesses in public developer surfaces.
Responsible Disclosure Policy
AICardAPI encourages good-faith security research that helps protect merchants, developers and platform users. This draft needs approved contacts, safe-harbor language, exclusions and timelines before publication.
Out of scope
Denial-of-service testing, social engineering, physical attacks, spam, destructive testing, data exfiltration beyond proof of concept and attacks against third-party systems are not authorized.
Research rules
Use test accounts and demo data only, stop once a vulnerability is confirmed and provide enough detail for reproduction.
Report contents
Reports should include affected URLs or endpoints, impact, steps to reproduce, screenshots or logs with secrets redacted and a secure contact method.
Safe handling
Do not include full PAN, CVV, PIN, private keys, production credentials, webhook secrets or raw sensitive payloads in reports.