PromptShipPromptShip

Security Policy

Last updated: April 24, 2026

Reporting a vulnerability

If you discover a security vulnerability in PromptShip, please report it privately to [email protected]. Please do not open a public GitHub issue or post about it publicly before we have had a chance to respond.

Include in your report:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce.
  • Any proof-of-concept code, screenshots, or logs, if applicable.

Response timeline

  • Acknowledgement: within 72 hours of receipt.
  • Initial assessment: within 7 days.
  • Fix and disclosure: coordinated with the reporter, typically within 30 days for critical issues.

Disclosure policy

We practice coordinated disclosure. We ask that you give us a reasonable window to investigate and fix the issue before public disclosure. Reporters will be credited in release notes unless they request anonymity.

Scope

In scope:

  • The PromptShip API at api.promptship.dev
  • The PromptShip web app at promptship.dev
  • The PromptShip GitHub App
  • The PromptShip MCP server
  • The PromptShip CLI

Out of scope:

  • Social engineering of PromptShip staff or customers.
  • Denial-of-service attacks.
  • Findings from automated scanners without demonstrated impact.
  • Issues in third-party dependencies already tracked upstream.
  • Issues requiring physical access to a user's device.

Supported versions

PromptShip is a managed service. Security fixes are applied to the live production environment. Self-hosted or forked deployments are not officially supported.

Our commitments

  • All traffic is encrypted in transit with TLS.
  • Secrets and access tokens are encrypted at rest.
  • Deployed user applications run in isolated environments with network controls between tenants.
  • Production access is restricted to authorized engineering staff.

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Only access, store, or exfiltrate the minimum data necessary to demonstrate a vulnerability.
  • Do not publicly disclose the vulnerability before we have had a reasonable time to respond.
  • Comply with all applicable laws.