Security

Vulnerability Disclosure

Peppty Technologies welcomes good-faith security reports for peppty.com and the Peppty product surfaces. A clear report path helps us protect users, partners, and the wider product ecosystem.

Report suspected vulnerabilities to security@peppty.com. For urgent product safety or abuse issues, use the in-app report flows first when available.

Scope

Reports may cover public Peppty Technologies properties and product systems that Peppty operates. Third-party platforms, app stores, hosting providers, payment processors, and social networks are outside our control unless the vulnerability is caused by Peppty implementation.

  • peppty.com corporate pages and static assets
  • Chathub Android and chathubapp.com product surfaces
  • ChatRamen iOS and chatramen.com product surfaces
  • Backend services operated for Peppty products

What to Include

The fastest reports to triage are specific, reproducible, and careful with user data. Please include:

  • Clear steps to reproduce the issue
  • The affected URL, app, device, browser, or account state
  • Screenshots, logs, proof-of-concept code, or request examples where safe to share
  • Your contact details and whether you want public credit after remediation

Safe Harbor

Peppty will not pursue legal action against researchers for good-faith research that follows this policy and avoids harm. To stay within that safe harbor:

  • Act in good faith and avoid privacy violations, data destruction, service disruption, spam, phishing, social engineering, or physical attacks.
  • Access only the minimum data necessary to prove the issue, and stop testing if you encounter personal data or sensitive systems.
  • Give Peppty a reasonable opportunity to investigate and remediate before public disclosure.
  • Do not attempt to extort, sell, or weaponize a vulnerability.

Response Expectations

We aim to acknowledge well-formed reports within 5 business days, triage severity as quickly as practical, and provide updates when remediation decisions are made. Timing depends on severity, exploitability, affected systems, and whether third-party providers need to be involved.

If you believe a report involves active abuse, child safety, account takeover, payment risk, or exposed secrets, mark the email subject as urgent and include enough context for immediate routing.

Security.txt

The machine-readable disclosure contact is published at /.well-known/security.txt. A PGP key is not published yet; do not send secrets, private keys, passwords, or highly sensitive personal data by ordinary email unless we provide a secure channel.

See also: Safety · Privacy Policy · Contact