Our new model, Coda, is now live in the dashboard and API!

Vulnerability Disclosure Policy

Rime is committed to keeping our TTS cloud API, dashboard, and website secure. We value the work of independent security researchers and welcome reports of potential vulnerabilities.

Scope

This policy applies to:

  • The Rime TTS cloud API (api.rime.ai and all API endpoints)

  • The Rime customer dashboard/console

  • The rime.ai website

Out of scope:

  • Third-party services, integrations, or infrastructure not owned by Rime (e.g. subprocessors, payment providers)

  • Denial-of-service (DoS/DDoS) testing

  • Physical security testing

  • Social engineering of Rime employees, contractors, or customers

  • Spam, phishing, or automated content generation using the API for the purpose of testing

  • Findings from automated scanners without manual validation of impact

  • Reports on missing security headers, cookie flags, or best-practice deviations without a demonstrated exploitable impact

  • Vulnerabilities requiring physical access to a user's device

  • Self-XSS or issues that require an attacker to already control the victim's account/session

How to Report

Email security@rime.ai with:

  • A clear description of the vulnerability and its potential impact

  • Step-by-step instructions to reproduce the issue

  • Any proof-of-concept code, request/response samples, or screenshots

  • The API endpoint, account, or component affected

  • Your contact information (for follow-up and, if applicable, credit)

Please submit one vulnerability per report unless chaining multiple issues is necessary to demonstrate impact.

What to Expect

  • Acknowledgment: We'll confirm receipt of your report within 3 business days.

  • Triage & updates: We'll assess the report and provide a status update within 10 business days, and periodically thereafter until resolution.

  • Resolution: Timelines depend on severity and complexity. Critical issues are prioritized for immediate remediation.

  • Recognition: With your permission, we're happy to credit you publicly once a fix is deployed. We don't run a fixed bounty program, but we may offer swag or a discretionary reward for high-impact, well-documented reports, at our sole discretion.

Ground Rules

While researching under this policy, please:

  • Only test against accounts and data you own, or test data explicitly provided for this purpose

  • Avoid accessing, modifying, or deleting data that isn't yours

  • Avoid actions that could degrade service for other users (rate-limit abuse, DoS, mass account creation)

  • Report the issue promptly and give us reasonable time to remediate before any public disclosure

  • Not exploit a vulnerability beyond what's necessary to prove it exists

Safe Harbor

Rime considers security research conducted in accordance with this policy to be authorized. We will not pursue legal action or refer you to law enforcement for good-faith testing that:

  • Stays within the scope defined above

  • Follows the ground rules above

  • Is reported to us promptly and privately via security@rime.ai

If a third party initiates legal action related to activity conducted in compliance with this policy, we will make it clear that your actions were authorized.

This policy does not grant permission to test systems outside the defined scope, and Rime reserves the right to update this policy at any time.

Last updated: June 30, 2026