Vulnerability Disclosure & (Future) Bug Bounty

Short, honest, and community-first. Last updated: October 1, 2025.

We’re a small team in Málaga trying to make the internet a little safer. Omnia is open and collaborative by design, which naturally invites creative experiments… and sometimes unexpected risks. If you find a security issue, we’d love your help. We can’t pay cash rewards yet (no funding), but we’ll do our best to say thanks with a t-shirt or cap, public credit, and genuine appreciation.

If something here feels unclear, tell us and we’ll improve it.

Our philosophy

Openness over fear. Omnia lets people create and share prompts, workflows, RAGs, agents, and MCP connectors. That openness is the point.
Community moderates quality. Helpful content should rise, junk should sink. Please report abuse or malicious content so we can keep the space healthy.
Responsible security research is welcome. If you act in good faith and within the rules below, we’ll treat your work as a contribution, not a threat.

What’s interesting to us (in scope)

Please focus on real security risks, especially those with privacy impact or system compromise:

Unauthorized access to other users’ data (chats, files, private artifacts, API keys).
Evidence of account takeover, auth/session flaws (e.g., OAuth/OpenID issues, CSRF, broken passwordless flows).
Privilege escalation, horizontal/vertical access control bypass.
Server-side vulnerabilities (RCE, SQLi/NoSQLi, SSRF with impact, path traversal, IDORs).
Insecure storage or transport of sensitive data (e.g., hardcoded secrets, missing TLS, weak crypto in context where it matters).
Supply-chain risks in our first-party code (e.g., dependency confusion affecting our build/runtime).
Misconfigurations that expose non-public infrastructure (e.g., S3/GCS buckets, CI/CD secrets, admin endpoints).

Assets in scope:

omniasec.ai and subdomains we operate (web app, API, docs).
First-party services behind Omnia (auth, storage, workflows).
Our public repositories and code we publish (where applicable).

Third-party connectors (MCPs): When you explicitly invoke them, your data may flow to those providers under their own terms. Please report integration issues that create impact inside Omnia, vendor-specific bugs should go to the vendor.

What’s not useful (out of scope)

Because Omnia is open and agentic, some “findings” are expected by design and won’t be triaged:

Prompt injection & jailbreak games without cross-tenant impact.
System prompt disclosure or getting the model to say weird stuff. We literally link our current system prompt for transparency: System Prompt (we keep guardrails minimal for research utility).
Malicious or low-quality community content (e.g., a “bad” prompt) without a platform bypass. please report it via content reporting.
Rate-limit observations with no exploitation angle.
Best-practice nits without exploitable risk (missing headers, version banners, clickjacking on non-sensitive pages, generic CSP hardening).
DoS/volumetric testing, spam, social engineering of our team or users, physical security tests, or attacks on third-party providers uninvolved in an Omnia impact.
Findings that require a compromised device, rooted browser, or unrealistic user settings to matter.

If you’re unsure, send it anyway with a clear impact story, we’ll review quickly and fairly.

Rules of engagement (please read)

Only test against your own accounts/data. Don’t access or modify anyone else’s.
No data exfiltration. If you can prove access, stop at proof (e.g., show object IDs, redacted metadata) and don’t pull content.
Keep it legal & non-disruptive. No DoS, spam, or service degradation.
Protect privacy. Avoid personal data, if encountered inadvertently, stop, don’t store, and report immediately.
Give us a chance to fix. Don’t publicly disclose details before we confirm and remediate or agree on a coordinated path.

Safe harbor. If you follow these rules and act in good faith, we won’t pursue action against your research on Omnia’s in-scope assets. This statement doesn’t waive rights of our users or third parties, but it’s our clear intent.

How to report

Email: info@omniasec.ai Subject: Bug Bounty
Include:
- A clear summary and impact.
- Steps to reproduce, affected endpoints, and test account details.
- Any proof of concept (minimal, non-destructive).
- Your research handle/name for credit (optional).
We aim to acknowledge within 3 business days and keep you posted as we triage and fix. (Small team, honest effort.)

Recognition & (non-cash) rewards

Hall of Fame: we’ll list your handle/name and a short description of your finding (with your consent).
Swag: where possible, we’ll send a t-shirt or cap as a thank-you.
No cash bounties (for now). When funding allows, we’ll revisit this.

Coordinated disclosure

We prefer collaborative timelines. We don’t enforce a rigid clock, instead, we’ll agree on a reasonable path based on severity and complexity. Critical issues get priority. If a public risk emerges, we’ll communicate promptly and transparently.

A note on openness (and why some “bugs” aren’t bugs)

Omnia favors experimentation. That means:

Minimal guardrails for security research value.
Transparent architecture choices (including sharing our System Prompt ).
Community ranking to promote useful content and down-rank noise.

We still care deeply about real security and privacy. If you can cross tenant boundaries, access private data, escalate privileges, or touch our infrastructure in ways you shouldn’t, that’s gold. Please tell us.

Legal & privacy

We operate under EU/Spanish law. Please avoid handling personal data. If unavoidable, minimize exposure, document, and notify us immediately.
By sending a report, you agree we may use it to improve Omnia. We won’t share your personal info beyond what’s necessary to triage, fix, and credit you (if you want credit).

Thank you

If you’ve read this far, you’re already helping. We’re building Omnia in the open because we believe shared knowledge makes cybersecurity stronger. Thanks for keeping us honest and safer.

Account details

Bug Bounty