← Back to home

Security

Last updated: 9 May 2026 · Operator: OpsKarma — sole proprietorship of Swaraj Dhondge, Mumbai, Maharashtra, India · Machine-readable disclosure

Reporting a vulnerability

Email security@opskarma.com with a description, reproduction steps, and your preferred name for acknowledgement. We will get back to you as soon as we reasonably can — OpsKarma is run by a single independent operator in beta, so we cannot promise a fixed turnaround time yet.

Encryption. If you would like to encrypt your report, request our PGP key by replying to your initial email and we will send it from security@opskarma.com. Until a published key is available at /.well-known/pgp-key.txt, please send a low-detail initial message and we will move to encrypted email for the full report.

Scope

In scope: opskarma.com, *.opskarma.com, and the OpsKarma API. Reports of LLM jailbreaks, prompt injection that affects another user's data or account integrity, and bypasses of the judge are welcome.

Out of scope: third-party services (cloud host, CDN, analytics, inference providers), social engineering of staff, volumetric DDoS tests, missing security headers without a demonstrable impact, self-XSS in the user's own browser session, automated-scanner output without a proof of concept.

Safe harbor

We will not pursue legal action against researchers acting in good faith who:
  • Comply with this policy
  • Avoid privacy violations and data destruction
  • Do not access or modify other users' data
  • Give us a reasonable window to remediate before public disclosure

Out-of-policy

Attacks that affect other users (their data, their sessions), attempts to extract internal keys or secrets, and active exploitation are not authorised by this policy. Reports of the underlying vulnerability without exploitation are welcome.

Bug bounty

We do not currently offer monetary rewards — OpsKarma is a free, independently-operated service. If your report leads to a fix, we will publicly acknowledge you (with your consent) on a security advisory and, when a hall-of-fame page is published at /security/hall-of-fame, list you there.

Coordinated disclosure

We follow standard coordinated disclosure norms. As a solo operator in beta, we will work with you to triage, fix, and disclose responsibly; we will not commit to fixed SLAs while we cannot reliably hit them. Please do not publicly disclose a vulnerability until a fix is in place — we will keep you in the loop on progress.

Our posture

  • TLS everywhere; HSTS preload-eligible.
  • HttpOnly + SameSite session cookies; CSRF tokens on state-changing routes.
  • bcrypt password hashing; account lockout after repeated failures.
  • Audit log for sign-ins, hint unlocks, admin actions.
  • Per-user limits on AI calls to cap abuse and runaway cost.