48h
Initial response
7 days
Critical fix target
30 days
Coordinated disclosure

Our Commitments

Scope

In scope
  • verbospilot.com and subdomains
  • app.verbospilot.com
  • Authentication and session security
  • Webhook ingestion endpoints
  • API endpoints (/api/*)
  • Privilege escalation
  • Data exposure / IDOR
  • XSS and injection vulnerabilities
Out of scope
  • Denial of service attacks
  • Social engineering of staff
  • Physical security
  • Automated scanning without prior permission
  • Third-party services we don't control
  • Issues requiring unlikely user interaction
  • Self-XSS
  • Missing rate limits on non-auth endpoints

What We Ask of You

What to Include in Your Report

Bug Bounty

We do not currently operate a paid bug bounty program. We offer public acknowledgement and a heartfelt thank you. We review this policy annually and may introduce bounties in the future.

Submit a Report

Report a vulnerability

Send your report by email. Include as much detail as possible. Please do not submit vulnerability reports through public channels (GitHub issues, Twitter, etc.).

Email [email protected]
PGP key available on request · Response within 48 hours