M87 SECURITY POLICY

Last Updated: September 8, 2025

1. Introduction & Scope

M87, operated by Cosmic Intelligence, LLC (“we,” “us,” “our”), is committed to protecting the confidentiality, integrity, and availability of our platform and user data. This Security Policy describes the administrative, technical, and physical safeguards we use across the application, APIs, data stores, CI/CD pipeline, and cloud infrastructure.

This policy works together with our Terms of Service and Privacy Policy.

⸻

2. Reporting Security Issues (Responsible Disclosure)

We encourage good-faith research and responsible disclosure. • Report to: root@cosmicai.dev Include a clear description, steps to reproduce, impact, affected components, and any proof-of-concept. • Acknowledgment: We confirm receipt within 1 business day. • Collaboration: We will work with you to validate and address the issue promptly. • Recognition: We offer appropriate public credit for valid, responsibly disclosed issues (unless you request otherwise). • Safe Harbor: If you comply with this policy, act in good faith, and avoid privacy violations, data destruction, or service disruption, we will not pursue legal action. • Out-of-Scope / Prohibited Testing: • No DDoS, spam, or social engineering against our users or staff. • No access to other users’ data; use only your own accounts/test data. • No automated scanning that materially degrades the service. • Don’t publicly disclose details before we’ve remediated or within 30 days of our acknowledgement (whichever is sooner), unless otherwise agreed.

No monetary bounties at this time.

⸻

3. Our Security Practices

3.1 Data Protection • Encryption in Transit: All data between clients and M87 uses TLS/HTTPS. • Encryption at Rest: We use industry-standard cloud storage with encryption at rest where available. • Data Minimization: We collect only what we need to operate, secure, and improve the Service. • Passwords: User passwords are bcrypt-hashed; we never store plaintext passwords. • Prompts & Outputs: User prompts and outputs (including images and audio) are handled per our Privacy Policy and used to operate, secure, and improve the Service (including safety/abuse prevention). • Backups & Recovery: Core data is backed up on a periodic schedule with tested restore procedures; we make commercially reasonable efforts to restore availability promptly after an incident.

3.2 Authentication & Session Security • Login Flows: Robust password standards and server-side validation. • Sessions: HTTP-only cookies, Secure and SameSite flags in production, and inactivity timeouts of ~45 minutes (subject to change for security/reliability). • Rate Limits: We enforce quotas and rate limits to reduce abuse and credential-stuffing risk. • MFA: We are rolling out multi-factor authentication (MFA) for administrative and developer accounts and enable it wherever supported. • SSO: Where available, we support modern identity providers for administrative access.

3.3 Application Security (SDLC) • Secure Development Lifecycle: Threat-informed design, code review, and least-privilege defaults. • Dependency Hygiene: Routine updates for third-party libraries; monitoring for known CVEs. • Secrets Management: Secrets are stored outside source control and rotated periodically. • Configuration Hardening: Environment-specific configs; no shared secrets across dev/staging/prod. • Logging: Security-relevant events are logged and monitored; access to logs is restricted. • Content Security: We employ safeguards (e.g., validation, filtration) against common web vulnerabilities (injection, XSS, CSRF). • AI Safety: Automated and limited human review support abuse detection and policy enforcement; we may filter or block unsafe content.

3.4 Infrastructure & Access Control • Cloud Security: We use reputable cloud providers with strong physical and environmental controls. • Network Controls: Firewalling, security groups, and least-exposure defaults; ingress only as needed. • Access Management: Least privilege and need-to-know for production access; individual accounts (no shared logins); access reviews performed periodically. • Monitoring & Alerting: Continuous monitoring for anomalies; alerts routed to on-call. • Vulnerability Management: Routine scanning and prioritized patching; emergency out-of-band patches for critical issues. • Third-Party Providers: We assess critical vendors (e.g., cloud, Stripe, AI model providers) for security posture and contractual safeguards.

3.5 Data Classification & Handling • User Content & Outputs: Treated as confidential and access-controlled. • Operational Logs & Metrics: Access restricted to authorized staff for security, reliability, and analytics, retained consistent with our Privacy Policy. • Exports: Data exports are access-controlled and transmitted via secure channels.

3.6 Business Continuity & Incident Response • Incident Response Plan: Defined procedures for detection, containment, eradication, recovery, and post-mortem. • User Notification: We will notify affected users without undue delay when required by law (and, where applicable, within timelines such as 72 hours under GDPR). • Post-Incident Review: We conduct root-cause analysis and implement corrective actions.

⸻

4. User Responsibilities

Security is a shared responsibility. Users should: • Use strong, unique passwords and consider a password manager. • Keep devices and browsers up to date. • Do not share account credentials; maintain access control within your organization. • Log out on shared/public devices. • Report suspicious activity or potential vulnerabilities to root@cosmicai.dev immediately. • Use outputs responsibly and comply with our ToS and applicable laws.

⸻

5. Subprocessors & Third Parties

We rely on vetted third-party providers (e.g., cloud hosting, storage/CDN, analytics, Stripe for payments, and AI model providers). Each processes data under contract and only for specified purposes. See our Privacy Policy for categories of processors and data flows.

⸻

6. Updates to This Policy

We may update this Security Policy to reflect changes in our practices, technology, or legal requirements. The “Last Updated” date will reflect any change. Material changes may be communicated in-app or by email.

⸻

7. Contact

Security inquiries and reports: root@cosmicai.dev