Reporting a security issue

Vox Arcana welcomes responsible disclosure of security vulnerabilities. If you believe you have found a vulnerability affecting vox-arcana.org or any of our customer-facing systems, please contact us privately at security@vox-arcana.org.

Scope

• In scope: vox-arcana.org, voxarcana.myshopify.com, and any subdomains we operate directly.
• Out of scope: third-party platforms we use (Shopify, Stripe, Klaviyo, ActiveCampaign, Cloudflare, Make.com). Please report issues with those systems directly to the respective vendor.

Our commitment

• We will acknowledge receipt within 5 business days.
• We will investigate and provide a status update within 30 days.
• We will not pursue legal action against researchers acting in good faith who comply with this policy.

Safe harbor

We consider security research conducted under this policy to be authorized. Researchers who follow this policy in good faith will not face legal action from Vox Arcana for testing within scope. Please avoid privacy violations, service disruptions, and destruction of data.

What not to do

• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service or disrupt the live store.
• Do not socially engineer Vox Arcana staff or customers.
• Do not disclose the vulnerability publicly before we have had time to remediate.

PGP / encrypted reports

If you require encrypted communication, request our PGP key at security@vox-arcana.org.

Last updated: 2026-04-28. Vox Arcana LLC, State of New Mexico, USA.