Encrypted in transit
Every byte you exchange with RMH Studios travels over TLS. HTTP Strict Transport Security tells your browser to connect securely and never fall back, so downgrade attacks get nowhere.
TLS · HSTSYou trust us with your account, your work, and sometimes your payment details. We treat that trust as the product itself — and engineer for it on every request, in every layer.
TLS 1.2+
Encryption on every request
Zero
Passwords stored when you use a passkey
24/7
Automated abuse monitoring
PCI L1
Payments handled by Stripe
Our commitment
How we keep you safe
Real controls, not slogans. Here is what actually stands between a threat and your data.
Every byte you exchange with RMH Studios travels over TLS. HTTP Strict Transport Security tells your browser to connect securely and never fall back, so downgrade attacks get nowhere.
TLS · HSTSSign in with a passkey and there is no password to steal, phish, or leak. Prefer a provider? Use Google, Discord, or GitHub. Sessions live in hardened, HTTP-only cookies.
Passkeys · OAuth 2.0Payments run through Stripe, certified to PCI DSS Level 1. Your card details go straight to Stripe over an encrypted channel — they never touch, and never rest on, our servers.
Stripe · PCI DSS L1A Content-Security-Policy, strict security headers, server-side SSRF guards on outbound fetches, and per-route rate limits mean a single mistake can never become a breach.
CSP · Rate limitsWe collect the minimum we need to run the product, we never sell your data, and you can export or delete it whenever you want. Fewer things to protect is safer for everyone.
Data minimizationAbuse detection, brute-force throttling, and tamper-evident audit logs run continuously, so unusual activity is caught early — not read about after the fact.
Monitoring · Audit logsBuilt around your account
The strongest security is the kind you never have to think about. These protections are on by default.
Your device's secure enclave proves it's you with Face ID, Touch ID, or a hardware key. The secret never leaves your device — there is nothing on our side to breach.
Sign in with Google, Discord, or GitHub and lean on the accounts — and two-factor protection — you already use every day.
Session tokens sit in Secure, HTTP-only, SameSite cookies that scripts can't read and other sites can't ride. On HTTPS they are marked Secure automatically.
Sign-in, sign-up, and password-reset endpoints are individually rate-limited to shut down credential stuffing and password guessing.
Your data lives in managed databases and object storage that are encrypted at rest, with access restricted by the principle of least privilege.
Change your handle, export your data, or delete your account on your terms — and sign out of your sessions whenever you want.
Bug bounty program
Security is a team sport, and researchers are on our team. Report a real, original vulnerability and we'll reward it — up to $2,500,000 for the most serious findings.
A break that could compromise the platform itself or its users at scale.
Remote code execution on production infrastructure · full authentication bypass · mass account takeover · extraction of the production database or platform secrets.
Serious access to data or systems you shouldn't be able to reach.
SQL/command injection · SSRF reaching internal services or cloud metadata · stored XSS in another user's session · IDOR exposing another user's private data · privilege escalation to admin · payment or entitlement manipulation.
A real flaw with a meaningful, but bounded, impact.
CSRF on sensitive actions · reflected XSS · authorization gaps with limited scope · open redirects usable for phishing · rate-limit bypasses that enable abuse.
A genuine issue with a realistic, if narrow, path to harm.
Self-XSS with a credible escalation · low-impact information disclosure · security misconfigurations with a demonstrated effect.
| Category | Up to | What qualifies |
|---|---|---|
| Remote code execution | $2,500,000 | Run arbitrary code on RMH Studios production servers. Needs a working proof-of-concept that does not rely on already-compromised credentials. |
| Authentication bypass / account takeover | $2,500,000 | Sign in as another user or defeat our passkey / OAuth / session checks without their help. Zero-click and reproducible at scale reaches the top of the range. |
| Broken access control / IDOR | $250,000 | Read or change another user's private data or resources by manipulating identifiers. The reward scales with the sensitivity and volume of data reached. |
| Server-side request forgery (SSRF) | $250,000 | Coerce our servers into requests to internal services or cloud metadata. You must demonstrate reaching a genuinely non-public target. |
| Injection (SQL / command) | $250,000 | Inject into a database or shell through unsanitised input, with a PoC that reads or alters data you shouldn't be able to reach. |
| Stored cross-site scripting (XSS) | $250,000 | Achieve persistent script execution in another user’s session. Provide the payload and the exact page it fires on. |
| Payment / entitlement manipulation | $250,000 | Obtain paid features, coins, or subscriptions without paying, or change another user's balance or entitlements. |
| Sensitive data / secret exposure | $250,000 | Expose secrets, tokens, or other users’ personal data. Report the exact endpoint and stop — never exfiltrate data at scale. |
| CSRF / reflected XSS | $25,000 | Force a state-changing request cross-site, or reflect script execution from a request parameter. Include a working exploit page. |
| Open redirect & phishing vectors | $25,000 | Redirect our users to an attacker-controlled destination from a trusted rmhstudios.com URL. |
Submit a report
Send it straight to our security team below. We acknowledge every report within two business days, keep you posted through triage, and pay out once it's confirmed.