We take security seriously. If you have found a vulnerability in the MatrisAI platform, the merchant dashboard, the per-shop runtimes, or any related infrastructure, please tell us in a coordinated way so we can fix it before anyone is harmed.
Security disclosure
support@matris.aiUse subject line "Security report: <short description>". We acknowledge new reports within one business day.
What to include
- A clear, reproducible description of the issue with the steps to reproduce it.
- The URL, endpoint, or component affected.
- Proof-of-concept code, screenshots or screen recordings if they help illustrate the issue.
- Your assessment of the impact and severity.
- Whether you are willing to be credited publicly when the fix ships, and how you would like to be credited.
What we ask in return
- Give us a reasonable window to investigate and ship a fix before any public disclosure. We will keep you in the loop on the timeline.
- Do not access or modify data that does not belong to you. If a vulnerability gives you access to other accounts, stop and report it instead of demonstrating further.
- Avoid disruptive testing: no automated denial-of-service, no spam, no destructive payloads against live merchant stores.
- Comply with applicable law and the MatrisAI Terms of Service.
Safe harbour
If you act in good faith and follow the rules above, we will not pursue legal action for your security research and will publicly acknowledge your contribution if you wish. We do not run a paid bug-bounty programme at this time; we may, at our discretion, offer credit, merchandise or a goodwill payment.
Out of scope
The following typically do not qualify as security issues:
- Findings from automated scanners that are not paired with a working exploit.
- Best-practice configuration recommendations without a demonstrable impact (e.g. missing low-impact HTTP headers on marketing pages).
- Vulnerabilities in third-party software we use but cannot patch ourselves (please report them upstream).
- Self-XSS that requires the user to type or paste a payload into their own browser console.
- Social-engineering attacks against our staff or customers.