RapidArch

Responsible Disclosure

Last updated on May 16, 2026

Last reviewed on May 16, 2026

We take the security of RapidArchand the data that flows through it seriously. If you believe you have found a security vulnerability, we’d like to hear about it.

How to report an issue

Email info@rapidarch.com with the following details:

  • A summary of the vulnerability and its potential impact.
  • Steps to reproduce the issue, including screenshots.
  • Details of your environment: operating system, browser, and device.
  • If possible, proof-of-concept code or payloads used to exploit the vulnerability.

We aim to acknowledge reports within three (3) business days and to provide a substantive update within ten (10) business days. We will keep you informed of our progress and may request additional detail or a retest before remediation is confirmed.

In scope

  • rapidarch.com and its subdomains.
  • The editor at /editor.
  • Server-side endpoints we operate (for example, the email signup endpoint and any administrative API).

Out of scope

  • Automated scanning of any kind.
  • Social engineering of RapidArch staff, contractors, or users.
  • Missing or insufficient rate limiting on public pages.
  • Missing security headers on responses, unless material harm or exploitation is demonstrated.
  • Brute-force attacks against authentication endpoints.
  • Denial-of-service or distributed denial-of-service attacks.
  • Clickjacking on pages without sensitive actions or authenticated state.
  • Theoretical attacks without proof of exploitability.
  • Attacks requiring physical access to a victim’s device.
  • Attacks requiring interception of a valid user’s network traffic.
  • Vulnerabilities in third-party services we depend on (e.g., Vercel, Neon, PostHog) — please report those to the respective vendor.

We ask that you

  • Test against your own account or test data only; do not interact with other users’ data without their explicit permission.
  • Do not copy, modify, or destroy production data.
  • Do not engage in activities that will cause downtime or degraded service for other users.
  • Comply with all applicable laws, this policy, and our Terms of Service.
  • Give us a reasonable opportunity to investigate and remediate before disclosing publicly.

Recognition

RapidArch does not currently operate a paid bug-bounty program. We will publicly thank reporters who follow this policy and who help us materially improve the security of the Services, unless they prefer to remain anonymous.

Safe harbor

When you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for the act of testing or for the resulting report. If a third party initiates legal action against you for activities we consider covered by this safe harbor, we will make this commitment known.

Contact

Send security reports to info@rapidarch.com.