Last updated: March 16, 2026

Vulnerability Disclosure Policy

AskVerdict AI takes security seriously. We support responsible, private, and coordinated reporting of security vulnerabilities by researchers, customers, and the community. This policy describes how to report issues, what to expect, and how we handle disclosures.

Quick Summary

Applies to: Security researchers, customers, and users reporting vulnerabilities in AskVerdict AI systems.

Report to support@askverdict.ai - we acknowledge within 24 hours.
Safe harbor protects good-faith researchers who follow this policy.
Severity-based SLAs from 24 hours (critical) to 30 days (low), with recognition for valid reports.

1. How to Report

Email your report to support@askverdict.ai

Use subject line: Security Report - [Brief Description]

For sensitive reports, you may encrypt your email using our PGP key (available on request).

2. What to Include

A good report helps us triage faster. Include as much of the following as possible:

Affected target - URL, endpoint, API route, or component
Vulnerability type - XSS, CSRF, IDOR, injection, misconfiguration, etc.
Reproduction steps - Clear, numbered steps with any preconditions
Proof of concept - Screenshots, HTTP request/response pairs, or a minimal PoC file
Impact assessment - What an attacker could realistically achieve
Suggested fix - Optional but appreciated
Your contact info - So we can follow up and credit you

3. In-Scope Systems

We encourage reports related to vulnerabilities in:

askverdict.ai (web application)

api.askverdict.ai (backend API)

Authentication and session management

Authorization and access control

Data exposure and privacy risks

Injection vulnerabilities (SQL, XSS, SSRF)

API security (rate limiting, input validation)

Cryptographic weaknesses

Security header misconfigurations

Third-party integration security

4. Out-of-Scope Activity

The following is not covered by this policy and should not be attempted:

Denial of service (DoS/DDoS) or resource exhaustion testing
Social engineering, phishing, or physical intrusion attempts
Spam, SEO poisoning, or content injection without security impact
Reports without reproducible technical evidence
Accessing, modifying, or deleting real user data
Automated vulnerability scanning that degrades service performance
Testing against accounts you do not own (without explicit permission)
Issues in third-party services not operated by AskVerdict

5. Severity Classification and Response SLAs

We classify vulnerabilities using a risk-based model considering impact, exploitability, affected surface area, and data sensitivity.

CriticalResponse: 24 hours

Remote code execution, authentication bypass, full data breach, privilege escalation to admin

Examples: SQL injection with data access, auth token forgery, SSRF to internal services

HighResponse: 72 hours

Significant data exposure, stored XSS, CSRF on sensitive actions, IDOR with PII access

Examples: Accessing another user's debates, modifying billing state, stored XSS in shared verdicts

MediumResponse: 7 days

Limited data exposure, reflected XSS, security misconfiguration with real impact

Examples: Clickjacking on sensitive actions, open redirect, information disclosure in API responses

LowResponse: 30 days

Minor misconfigurations, missing headers with limited exploitability, best-practice gaps

Examples: Missing rate limiting on non-sensitive endpoints, verbose error messages, cookie flag improvements

6. Response Process

Every valid report follows this lifecycle:

AcknowledgmentWithin 24 hours

We confirm receipt and assign a tracking ID.

TriageWithin 72 hours

We assess severity, reproducibility, and affected scope.

RemediationBased on severity

We develop and test a fix following our severity SLAs.

ValidationBefore closure

We verify the fix and notify you before closing the report.

DisclosureAfter fix is live

We coordinate public disclosure timing with you.

7. Responsible Testing Rules

Test only what is necessary to confirm the vulnerability.
Use test accounts you own. Do not access other users' data.
Do not modify, delete, or exfiltrate any data.
Do not establish persistence, backdoors, or long-running footholds.
Stop testing and report immediately if you encounter real user data.
Do not publicly disclose the issue before we have deployed a fix.
Do not use automated scanners without prior coordination.

8. Safe Harbor

AskVerdict will not initiate legal action against researchers who discover and report vulnerabilities in good faith, follow this policy, avoid privacy harm and service disruption, and report privately for remediation before any public disclosure.

Safe harbor does not extend to illegal activity, extortion, intentional privacy violations, or actions that cause material harm to AskVerdict users or systems. We reserve the right to involve law enforcement if activity falls outside the bounds of good-faith research.

9. Recognition and Rewards

We value the security research community and believe in recognizing contributions that help keep our users safe.

For valid reports, we offer:

Public acknowledgment on our Security Hall of Fame (with your permission)
AskVerdict AI Founding Member seat (500 credits/month, while spots remain)
Direct communication with our engineering team on the fix
Priority consideration for future paid bounty programs

AskVerdict does not currently operate a standing paid bounty program. We may introduce one as our security program matures. Researchers who have contributed valid reports will be notified first.

10. Coordinated Disclosure

We ask that you do not disclose vulnerabilities publicly until a fix has been deployed and affected users are protected. We target a standard 90-day disclosure window for non-critical issues, and work to resolve critical issues well within that timeframe.

Once a fix is live, we are happy to coordinate a joint disclosure that credits your research. If you plan to publish a write-up or CVE, please let us know so we can review for accuracy and coordinate timing.

11. Liability and Legal Boundaries

By submitting a vulnerability report, you acknowledge and agree to the following:

AskVerdict reserves the right to determine the validity, severity, and priority of any reported vulnerability at its sole discretion.
Submission of a report does not create an employment, contractor, or agency relationship between you and AskVerdict.
AskVerdict is not obligated to act on, fix, or respond to every report, though we make best efforts to do so.
You may not leverage a vulnerability report for extortion, coercion, or unauthorized demands for compensation.
Any testing that results in data loss, service disruption, or privacy harm to AskVerdict users may be referred to law enforcement regardless of stated intent.
Report handling is subject to privacy, legal, and security obligations. We may limit technical detail sharing where necessary to protect users, ongoing investigations, or platform security.
Reporter contact information is handled per our Privacy Policy and is never shared externally without consent.

12. Policy Updates

This policy may be updated as our security program evolves. Material changes will be reflected in the "Last updated" date above. The current version is always available at this URL.

Found something?

We appreciate your help keeping AskVerdict AI secure.

Report a Vulnerability

Vulnerability Disclosure Policy

1. How to Report

2. What to Include

3. In-Scope Systems

4. Out-of-Scope Activity

5. Severity Classification and Response SLAs

6. Response Process

7. Responsible Testing Rules

8. Safe Harbor

9. Recognition and Rewards

10. Coordinated Disclosure

11. Liability and Legal Boundaries

12. Policy Updates

Found something?

Product

Company

Use Cases

Teams

Content

Developer

Policies

Agreements