Security & Disclosure
Last updated: 1 May 2026.
Found a security issue? Email zee@hauntapi.com with enough detail to reproduce it.
What to report
- Authentication bypasses or API key exposure.
- Access to another customer’s data.
- Server-side request forgery or extraction sandbox escapes.
- Billing or quota bypasses.
Rules
Do not access, destroy, or exfiltrate customer data. Do not run denial-of-service tests. Report the issue and give us time to fix it.
Security basics
API keys should be treated like passwords. Haunt stores passwords as hashes and uses Stripe for payment card handling.