Skip to content

Security you can feel.

You trust us with your account, your work, and sometimes your payment details. We treat that trust as the product itself — and engineer for it on every request, in every layer.

TLS 1.2+

Encryption on every request

Zero

Passwords stored when you use a passkey

24/7

Automated abuse monitoring

PCI L1

Payments handled by Stripe

Our commitment

Security isn't a feature. It's the foundation.

How we keep you safe

Protection at every layer.

Real controls, not slogans. Here is what actually stands between a threat and your data.

Encrypted in transit

Every byte you exchange with RMH Studios travels over TLS. HTTP Strict Transport Security tells your browser to connect securely and never fall back, so downgrade attacks get nowhere.

TLS · HSTS

Passwordless, phishing-resistant sign-in

Sign in with a passkey and there is no password to steal, phish, or leak. Prefer a provider? Use Google, Discord, or GitHub. Sessions live in hardened, HTTP-only cookies.

Passkeys · OAuth 2.0

We never see your card

Payments run through Stripe, certified to PCI DSS Level 1. Your card details go straight to Stripe over an encrypted channel — they never touch, and never rest on, our servers.

Stripe · PCI DSS L1

Defense in depth

A Content-Security-Policy, strict security headers, server-side SSRF guards on outbound fetches, and per-route rate limits mean a single mistake can never become a breach.

CSP · Rate limits

Privacy is the default

We collect the minimum we need to run the product, we never sell your data, and you can export or delete it whenever you want. Fewer things to protect is safer for everyone.

Data minimization

Watched around the clock

Abuse detection, brute-force throttling, and tamper-evident audit logs run continuously, so unusual activity is caught early — not read about after the fact.

Monitoring · Audit logs

Built around your account

Your account, locked down.

The strongest security is the kind you never have to think about. These protections are on by default.

Passkeys & WebAuthn

Your device's secure enclave proves it's you with Face ID, Touch ID, or a hardware key. The secret never leaves your device — there is nothing on our side to breach.

Trusted single sign-on

Sign in with Google, Discord, or GitHub and lean on the accounts — and two-factor protection — you already use every day.

Hardened sessions

Session tokens sit in Secure, HTTP-only, SameSite cookies that scripts can't read and other sites can't ride. On HTTPS they are marked Secure automatically.

Brute-force resistant

Sign-in, sign-up, and password-reset endpoints are individually rate-limited to shut down credential stuffing and password guessing.

Encrypted at rest

Your data lives in managed databases and object storage that are encrypted at rest, with access restricted by the principle of least privilege.

You're always in control

Change your handle, export your data, or delete your account on your terms — and sign out of your sessions whenever you want.

Bug bounty program

Break it. Get paid.

Security is a team sport, and researchers are on our team. Report a real, original vulnerability and we'll reward it — up to $2,500,000 for the most serious findings.

CriticalUp to $2,500,000

A break that could compromise the platform itself or its users at scale.

Remote code execution on production infrastructure · full authentication bypass · mass account takeover · extraction of the production database or platform secrets.

HighUp to $250,000

Serious access to data or systems you shouldn't be able to reach.

SQL/command injection · SSRF reaching internal services or cloud metadata · stored XSS in another user's session · IDOR exposing another user's private data · privilege escalation to admin · payment or entitlement manipulation.

MediumUp to $25,000

A real flaw with a meaningful, but bounded, impact.

CSRF on sensitive actions · reflected XSS · authorization gaps with limited scope · open redirects usable for phishing · rate-limit bypasses that enable abuse.

LowUp to $2,500

A genuine issue with a realistic, if narrow, path to harm.

Self-XSS with a credible escalation · low-impact information disclosure · security misconfigurations with a demonstrated effect.

What each vulnerability is worth

Bug bounty categories, their maximum reward, and what qualifies.
CategoryUp toWhat qualifies
Remote code execution$2,500,000Run arbitrary code on RMH Studios production servers. Needs a working proof-of-concept that does not rely on already-compromised credentials.
Authentication bypass / account takeover$2,500,000Sign in as another user or defeat our passkey / OAuth / session checks without their help. Zero-click and reproducible at scale reaches the top of the range.
Broken access control / IDOR$250,000Read or change another user's private data or resources by manipulating identifiers. The reward scales with the sensitivity and volume of data reached.
Server-side request forgery (SSRF)$250,000Coerce our servers into requests to internal services or cloud metadata. You must demonstrate reaching a genuinely non-public target.
Injection (SQL / command)$250,000Inject into a database or shell through unsanitised input, with a PoC that reads or alters data you shouldn't be able to reach.
Stored cross-site scripting (XSS)$250,000Achieve persistent script execution in another user’s session. Provide the payload and the exact page it fires on.
Payment / entitlement manipulation$250,000Obtain paid features, coins, or subscriptions without paying, or change another user's balance or entitlements.
Sensitive data / secret exposure$250,000Expose secrets, tokens, or other users’ personal data. Report the exact endpoint and stop — never exfiltrate data at scale.
CSRF / reflected XSS$25,000Force a state-changing request cross-site, or reflect script execution from a request parameter. Include a working exploit page.
Open redirect & phishing vectors$25,000Redirect our users to an attacker-controlled destination from a trusted rmhstudios.com URL.

In scope

  • rmhstudios.com and its subdomains
  • Our public API, developer platform, and web apps
  • Authentication, payments, and how we handle your data

Out of scope

  • Denial-of-service and volumetric attacks
  • Social engineering, phishing our staff, or physical access
  • Scanner output or missing headers with no proof-of-concept
  • Issues in third parties (Stripe, Discord, cloud providers)

Rules of engagement

  • Only ever test against your own account and data
  • Never access, change, or destroy data that isn't yours
  • Give us a reasonable window to fix before going public
  • One clear, reproducible vulnerability per report

Submit a report

Found a weakness? Tell us.

Send it straight to our security team below. We acknowledge every report within two business days, keep you posted through triage, and pay out once it's confirmed.

Submit a vulnerability. Fields marked (required) are required.

Prefer email? [email protected]

Safe harbor. Report in good faith — don't access data that isn't yours, and give us a reasonable window to ship a fix before disclosing publicly. Do that, and we won't pursue legal action. Prefer email? Reach us at [email protected].