[NOW AVAILABLE] 👋 Hey Content Agent, tell me what you do that other AI tools can’t →
Skip to content
Sanity

  • Content operations

    • Sanity Studio
    • Media Library
    • Canvas
    • Content AgentNew
    • Content Releases
    • Insights
    • App SDK

    Content backend

    • Content Lake
    • Live CDN
    • Compute
    • Agent Actions
    • MCP ServerNew
    a white background with orange and black dots on it

    The only platform powering content operations

    Start building for free
    Start building for free

  • Use Cases

    • Headless CMS
    • E-commerce
    • Marketing
    • Media and publishing
    • PIM
    • LMS
    • Build your own

    Users

    • Developers
    • Content Editors
    • Product Owners
    • Business Leaders
    a man sits on a fence next to a horse

    Tecovas strengthens their customer connections

    Read the story
    Read the story

  • Build and Share

    • Sanity 101New
    • Sanity Learn
    • Frameworks
    • Templates
    • Tools and plugins
    • Schemas and snippets
    • Join our community

    Insight

    • Blog
    • Events
    • Customer stories
    • Guides
    A dark-themed collage showcasing branded merchandise including t-shirts, a cap, mug, tote bag, and socks, alongside various digital design elements and logos, prominently featuring "Sanity" branding.

    Grab your gear: The official Sanity swag store

    Read Grab your gear: The official Sanity swag store
  • Docs
  • Enterprise
  • Pricing
Sanity

  • Content operations

    • Sanity StudioHeadless CMS
    • Media LibraryCentralized asset management
    • CanvasAI-assisted, free-form writing
    • Content AgentNewAI for content operations
    • Content ReleasesStack and stage content updates
    • InsightsUnderstand content performance
    • App SDKRapidly build content apps

    Content backend

    • Content LakeThe content optimized database
    • Live CDNSimple, scalable, real-time
    • ComputeEvent handlers for content changes
    • Agent ActionsBuilt-in, content aware AI
    • MCP ServerNew

  • Use Cases

    • Headless CMS
    • E-commerce
    • Marketing
    • Media and publishing
    • PIM
    • LMS
    • Build your own

    Users

    • Developers
    • Content Editors
    • Product Owners
    • Business Leaders

  • Build and Share

    • Sanity 101NewA quick series covering key areas of Sanity to get you up to speed.
    • Sanity Learn
    • Frameworks
    • Templates
    • Tools and plugins
    • Schemas and snippets
    • Join our community

    Insight

    • Blog
    • Events
    • Customer stories
    • Guides
  • Docs
  • Enterprise
  • Pricing
Join our community on Discord
Subscribe to our newsletter

Products

  • Sanity Studio
  • Media Library
  • Canvas
  • Content Agent
  • MCP Server
  • Content Releases
  • Insights
  • App SDK
  • Content Lake
  • Live CDN
  • Compute
  • Agent Actions
  • AI Assist
  • Use cases

Resources

  • Docs
  • Sanity 101
  • Sanity Learn
  • Tools and plugins
  • Frameworks
  • Templates
  • Schemas and snippets
  • Guides
  • Headless CMS explained
  • Resource library
  • Explainers
  • Enterprise CMS guides
  • Headless CMS Guides
  • Enhancing your CMS with AI
  • Compare Sanity
  • Glossary
  • Pricing

Company

  • Contact
  • Blog
  • Shop
  • Events
  • Careers
  • Changelog
  • Customer Stories
  • Agency Partners
  • Technology Partners

Trust and compliance

  • Privacy policy
  • Terms of service
  • Accessibility statement
  • Transparency statement
  • Security and compliance
  • Open Source Pledge

Keep in touch

© SANITY 2026

OSL, NOR (CET)

SFO, USA (PST)

Loading system status...
Change Site Theme

Vulnerability Disclosure Program

The Sanity Vulnerability Disclosure Program (VDP) is intended to provide a clear process for security researchers and members of the public to responsibly report security vulnerabilities they discover in Sanity's systems, applications, or services as outlined in the scope below..

By participating in this program, researchers agree to comply with these rules as well as the our privacy policy and applicable laws.

Scope

The scope of the Sanity VDP includes:

  • Sanity management interfaces:
    • https://manage.sanity.io
    • https://www.sanity.io
  • Sanity APIs
    • https://api.sanity.io
    • https://apicdn.sanity.io

The program covers security vulnerabilities discovered in Sanity's systems and software. It does not include vulnerabilities in third-party services or software used by Sanity unless they lead to a vulnerability in Sanity's systems.

Researchers should only test against their own accounts and data or test accounts and data. Testing should not disrupt or compromise any Sanity customer data.

Sanity will not fund or reimburse fees or subscription costs attached to research.

Qualifying Vulnerabilities

We will actively review all vulnerabilities which are reported to us, however, the below findings should be considered explicitly out of scope.

Excluded scope

  • Denial of Service (DoS) attacks
  • Resource exhaustion attacks
  • Rate limiting issues
  • Brute force attacks on login or forgot password pages
  • Account lockout not enforced
  • Disclosure of internal IP addresses, or versions, or names of software
  • Issues related to cross-domain policies without evidence of exploitability
  • Username/email enumeration via login, pending invitations, forgot password, or registration error messages
  • Cookie validation and expiration issues
  • Weak ciphers used by TLS, or TLS versions prior to 1.3
  • Static content over HTTP
  • Open ports
  • Overly shared storage buckets without demonstration of impact
  • Any form of social engineering/phishing against Sanity staff or customers
  • Vulnerability reports that require a large amount of "target users" interactions to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability

Rewards

Sanity's bug bounty pilot has now closed. We are not currently offering any monetary rewards, swag, or platform credits for vulnerability disclosures.

Reporting Bugs

If you wish to responsibly disclose a vulnerability to Sanity, we strongly prefer that you make use of the OpenSSF vulnerability reporting template to write your report.

You should send your report to security@sanity.io. Should you need to encrypt your report or sections for sensitive reasons, we ask that you use the Sanity security@sanity.io PGP key, available on the openPGP site.

Response SLOs

We commit to answering your report within 3 business days (outside US holidays) with an acknowledgement of receipt. Triage, mitigation and resolution of the findings can take longer and have no timeline promises.

Legal and privacy points

By submitting an entry, you agree to Sanity's privacy policy on data handling. We use a ticketing system, which is listed in our subprocessors.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.