Security Policy
Last updated: January 2026
1. Reporting a Vulnerability
Annotarium takes the security of its systems seriously and welcomes responsible security research.
If you discover a potential security vulnerability in Annotarium, please report it to: help@annotarium.org.
Please include sufficient detail to allow us to understand and reproduce the issue.
2. Scope
- annotarium.org and its subdomains
- The Annotarium web application
- Annotarium-controlled API endpoints
Only systems owned or operated by Annotarium are in scope.
3. Out of Scope
- Third-party services and infrastructure (including but not limited to Cloudflare, Microsoft, Google, AI/OCR providers)
- Social engineering, phishing, or spam
- Denial-of-service (DoS/DDoS) attacks
- Automated scanning that significantly impacts availability
- Vulnerabilities requiring physical access
- Issues in client devices, browsers, or operating systems
4. Responsible Disclosure Expectations
- Avoid accessing, modifying, or deleting user data
- Avoid actions that could disrupt service availability
- Limit testing to what is necessary to demonstrate the issue
- Report vulnerabilities privately and refrain from public disclosure until we have had a reasonable opportunity to investigate and address the issue
5. Safe Harbor
Annotarium will not pursue legal action against individuals who:
- Conduct security research in good faith
- Follow this policy
- Do not exploit vulnerabilities beyond what is necessary to demonstrate them
- Do not intentionally harm users or the service
This safe harbour applies only to activities conducted within the scope of this policy.
6. Response Expectations
We aim to:
- Acknowledge vulnerability reports within 72 hours
- Provide status updates as appropriate during investigation
Resolution timelines may vary depending on severity and complexity.
7. Bug Bounties
Annotarium does not currently operate a paid bug bounty programme. Submission of a report does not guarantee compensation, rewards, or public acknowledgement.
8. Security Practices
Annotarium is designed using modern web security best practices, including HTTPS and standard browser security mechanisms. While reasonable measures are taken to protect the service, no system can be guaranteed to be completely secure.