Security

Security

Last updated: January 2026

Security reports are welcome. This page covers the studio website and routing guidance; product-specific reports should include the affected domain.

1. Security posture

Any.xyz builds and operates public websites, product sites, APIs, and premium-domain properties. We use standard controls for access management, encrypted transport, dependency maintenance, monitoring, and incident response. Product-specific controls vary by product and hosting environment.

2. Responsible disclosure

We appreciate clear, good-faith security reports. A useful report includes:

  • The affected domain, endpoint, or page.
  • Steps to reproduce the issue without harming other users or systems.
  • Observed impact and any relevant screenshots or request metadata.
  • Your preferred contact information for follow-up.

3. Research boundaries

  • Do not run destructive tests, denial-of-service tests, or automated high-volume scanning.
  • Do not access, alter, copy, or disclose data that does not belong to you.
  • Do not attempt social engineering, phishing, or physical attacks.
  • Give us reasonable time to investigate before public disclosure.

4. Studio and product routing

If the report affects Any.xyz itself, include any.xyz in the subject line. If it affects a portfolio product, include the exact product domain so we can route it to the right operator quickly.

5. Contact

Send security reports to security@any.xyz. We aim to acknowledge legitimate reports promptly and keep the communication practical.