Original Pictures

Security policy

Original Pictures is cryptographic infrastructure. Security issues are treated as P0 incidents. We operate a responsible disclosure program and pay bounties for qualifying vulnerabilities.

Report a vulnerability

Email [email protected] with a description of the issue, reproduction steps, and your assessment of severity. PGP encryption available on request.

Do not open a public GitHub issue for security vulnerabilities. Please allow 72 hours for an initial triage response before any public disclosure.

[email protected]

In-scope targets

api.originalpictures.com REST API — authentication, signing, verification endpoints
verify.originalpictures.com Public verifier UI and widget
originalpictures.com Landing site
console.originalpictures.com Admin console — tenant management, API keys, billing
signer (internal) KMS signer service — cryptographic signing boundary
SDK packages npm: @originalpictures/sdk · PyPI: originalpictures · Go module: github.com/originalpictures/sdk-go

Out of scope

  • Denial-of-service attacks (rate limiting is intentional)
  • Social engineering of Original Pictures employees
  • Physical attacks against infrastructure
  • Issues in third-party services we depend on (AWS, Cloudflare, Stripe)
  • Missing security headers on non-sensitive static pages
  • SPF/DKIM/DMARC configuration issues
  • Clickjacking on pages without sensitive actions

Severity and response SLA

SeverityCVSS rangeTriage SLAFix SLA
Critical 9.0 – 10.0 4 hours 24 hours
High 7.0 – 8.9 24 hours 7 days
Medium 4.0 – 6.9 72 hours 30 days
Low 0.1 – 3.9 7 days 90 days

Bug bounty

We pay bounties for qualifying vulnerabilities on in-scope targets. Amounts are determined by CVSS score, exploitability, and impact on customer data or cryptographic integrity. Typical ranges:

Critical
$5,000 – $20,000
High
$1,000 – $5,000
Medium
$250 – $1,000
Low
$50 – $250

Safe harbor

If you comply with this policy when investigating a vulnerability — including avoiding privacy violations, data destruction, and service disruption — we will not pursue legal action against you. We consider security research conducted in good faith to be authorized activity. We will not refer researchers to law enforcement except for intentional malicious attacks.