Security Policy
Effective Date: 2026-05-30 Last Updated: 2026-05-30
Migaki welcomes responsible security reports for migaki.moe and the public Migaki API. This page defines the safe channel and boundaries for reporting suspected vulnerabilities.
1. Contact
Please report security issues to:
- Security: security@migaki.moe
- Abuse / policy safety: abuse@migaki.moe
If a report contains sensitive details, do not post it publicly. Include a concise summary, affected URL or endpoint, reproduction steps, expected impact, approximate timestamps, and only the minimum request/response details needed to reproduce the issue. Remove cookies, authorization headers, payment data, and other users' personal data before sending.
2. Machine-readable disclosure
Migaki also publishes a machine-readable disclosure file at:
The current security.txt expires on 2027-05-30T00:00:00Z and points back to this policy as canonical scope guidance.
3. In Scope
- Public Migaki web pages at https://migaki.moe
- Public web application flows available to normal users
- Authenticated account, subscription, upload, processing, download, and account self-service flows
- Public policy, contact, and disclosure surfaces
4. Out of Scope / Prohibited Testing
Do not perform:
- DDoS, flooding, resource-exhaustion, or cost-amplification attacks
- Credential stuffing, password spraying, brute force, or phishing
- Social engineering, physical attacks, or attempts to identify private individuals
- Accessing, downloading, modifying, or deleting another user's files or account data
- Payment fraud, chargeback abuse, or tests against third-party checkout providers beyond normal sandbox/low-risk observation
- Destructive tests, persistence, malware, or attempts to extract private service internals or proprietary assets
If you discover that your testing may expose another user's data, stop immediately and report the issue with only metadata sufficient to identify the problem.
5. Response Expectations
We aim to acknowledge valid security reports within 72 hours and will prioritize fixes based on severity, exploitability, and user impact.
Migaki does not currently operate a paid bug bounty program. Reports may be credited publicly only with the reporter's consent and only after the issue is fixed.
6. Legal and Privacy Notes
This policy is not permission to violate the law, attack third-party services, or disrupt Migaki. Keep testing limited, non-destructive, and privacy-preserving.
Migaki does not publish personal phone numbers or residential addresses for security contact. Use the role emails above for all vulnerability reports.
Questions about this policy? support@migaki.moe