Security policy

Email security@hatchery.pet. We aim to acknowledge valid reports within 72 hours.

• The production web app at hatchery.pet.
• The public API routes exposed by the same app.
• The public MCP endpoint for The Hatchery.

• Denial-of-service testing or traffic flooding.
• Social engineering, phishing, or physical attacks.
• Third-party services unless the issue is caused by our configuration.
• Accessing, changing, or deleting data that is not yours.

If you act in good faith, avoid privacy violations, and give us a reasonable window to fix the issue before public disclosure, we will not pursue action against your research.