Skip to content

You are here: SecurityVulnerability Disclosure Policy

Vulnerability Disclosure Policy

Contents:

Introduction

At Assistiv Labs, we are committed to the security of our systems and protecting our users’ data. We value the input of the security research community and believe that working with skilled researchers is a critical part of our security process.

This policy is intended to provide clear guidelines for security researchers to conduct their activities in good faith and report any vulnerabilities they discover to us. By providing a clear framework for vulnerability disclosure, we aim to address security issues as quickly as possible and create a safer environment for our users.

Scope

This policy applies to security vulnerabilities found in the following systems:

The following systems and activities are out of scope and are not authorized for testing:

  • Third-party services and domains not owned by Assistiv Labs.
  • Physical security testing of our offices or data centers.
  • Social engineering (e.g., phishing, vishing) of our employees.
  • Denial-of-Service (DoS/DDoS) attacks.
  • Automated scanning tools that generate a high volume of traffic.
  • Attacks that intentionally compromise the privacy of our users or employees, or destroy data.

How to Report a Vulnerability

If you believe you have found a security vulnerability in one of our in-scope systems, please submit a detailed report to us as soon as possible via email to security@assistivlabs.com.

Your report should include the following information to help us validate and reproduce the issue:

  • A brief description of the vulnerability.
  • Steps to reproduce the vulnerability, including URLs, requests, or any special configuration required.
  • A proof-of-concept (PoC) code or screenshots to demonstrate the vulnerability.
  • The potential impact of the vulnerability.

Safe Harbor

We pledge not to initiate or support legal action against you for good-faith security research that is conducted in accordance with this policy. We consider your research to be in "good faith" if you:

  • Comply with all the rules and guidelines of this policy.
  • Do not access, modify, or destroy user data or system configurations.
  • Stop testing as soon as you have identified a vulnerability and report it to us immediately.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it publicly.
  • Do not engage in extortion or make monetary demands to disclose a vulnerability.

Should legal action be initiated by a third party against you for activities that were conducted in compliance with this policy, we will take steps to make it known that your actions were authorized.

Our Commitment to You

When you submit a vulnerability report to us, you can expect the following from our team:

  • We will acknowledge receipt of your report within 3 business days.
  • We will work with you to understand and validate the vulnerability.
  • We will keep you informed of our progress as we work to resolve the issue.
  • We will notify you when the vulnerability is resolved.

Recognition and Rewards

While our bug bounty program does not currently offer monetary rewards, we are grateful for your assistance in improving our security. If you are the first to report a unique and valid vulnerability that leads to a code or configuration change, we would be happy to add your name to the Acknowledgments section on this page.