Original Pictures is cryptographic infrastructure. Security issues are treated as P0 incidents. We operate a responsible disclosure program and pay bounties for qualifying vulnerabilities.
Email [email protected] with a description of the issue, reproduction steps, and your assessment of severity. PGP encryption available on request.
Do not open a public GitHub issue for security vulnerabilities. Please allow 72 hours for an initial triage response before any public disclosure.
api.originalpictures.com REST API — authentication, signing, verification endpoints verify.originalpictures.com Public verifier UI and widget originalpictures.com Landing site console.originalpictures.com Admin console — tenant management, API keys, billing signer (internal) KMS signer service — cryptographic signing boundary SDK packages npm: @originalpictures/sdk · PyPI: originalpictures · Go module: github.com/originalpictures/sdk-go We pay bounties for qualifying vulnerabilities on in-scope targets. Amounts are determined by CVSS score, exploitability, and impact on customer data or cryptographic integrity. Typical ranges:
If you comply with this policy when investigating a vulnerability — including avoiding privacy violations, data destruction, and service disruption — we will not pursue legal action against you. We consider security research conducted in good faith to be authorized activity. We will not refer researchers to law enforcement except for intentional malicious attacks.