Skip to main content
We take security seriously. If you’ve found a vulnerability, please report it to us so we can fix it before bad actors can exploit it.

Contact

Email: security@mokaru.ai We respond within 48 hours on business days. Critical vulnerabilities (anything affecting user data, authentication, or payment processing) are triaged immediately.

Scope

We accept reports for vulnerabilities in any of these:
AssetScope
mokaru.aiMarketing site
app.mokaru.aiMain web application
api.mokaru.aiPublic REST API + MCP server
docs.mokaru.aiThis documentation site
Mokaru mobile app (iOS / Android)When released
Mokaru browser extensionChrome / Firefox
Out of scope:
  • Third-party services we use (Stripe, Clerk, Azure, Upstash, etc.) - report those directly to the vendor
  • Social engineering of Mokaru employees
  • Physical attacks
  • Denial of service attacks (please don’t run load tests on our production environment)
  • Self-XSS / clickjacking on pages without sensitive actions
  • Issues that require physical access to a user’s device

What to include

A good report contains:
  1. Description of the vulnerability and its impact
  2. Steps to reproduce - clear enough that our engineers can verify it
  3. Affected URL(s) or component(s)
  4. Proof of concept if applicable (screenshots, video, code)
  5. Your contact information for follow-up questions
If the vulnerability is severe, please encrypt sensitive details using our PGP key (available on request) and only send proof-of-concept code via a private channel.

Disclosure policy

  • We follow coordinated disclosure.
  • Please give us reasonable time to fix the issue before going public - typically 90 days, or sooner if we’ve already patched and notified affected users.
  • We will publicly credit you in this page’s hall of fame (below) unless you prefer to stay anonymous.

Good-faith safe harbor

We will not pursue legal action against researchers who:
  • Make a good-faith effort to avoid privacy violations, data destruction, or service interruption
  • Only access the minimum data necessary to demonstrate the vulnerability
  • Don’t disclose the issue publicly before it’s fixed
  • Don’t exploit the vulnerability for personal gain or to harm Mokaru users
If you accidentally access user data while testing, stop immediately and contact us. We treat accidental access reported in good faith as part of the disclosure, not as a separate incident.

What we ask you not to do

  • Don’t access, modify, or delete data that isn’t yours
  • Don’t run automated scanners against app.mokaru.ai or api.mokaru.ai without coordinating with us first
  • Don’t perform any test that could degrade service for other users
  • Don’t pivot to other systems or services through a vulnerability

Hall of fame

Researchers who have responsibly disclosed vulnerabilities to us will be listed here once we have our first valid disclosure. (Be the first!)