Vulnerability Disclosure Program (VDP)

1. OVERVIEW

The Voiceowl is committed to ensuring the security of our systems and protecting our user’s data. We welcome security researchers to responsibly disclose any security vulnerabilities they discover in our infrastructure.‎

2. SCOPE OF SYSTEMS

This section defines the precise logical boundaries for authorized vulnerability research under this program. Researchers must strictly respect these system parameters to maintain safe harbor protection.

This Policy covers all internet-facing information systems, applications, or web platforms owned, operated, or controlled directly by Voiceowl. This includes:

  • The primary Voiceowl corporate domain and all official, active subdomains (*.voiceowl.ai).
  • Publicly exposed Voiceowl application programming interfaces (APIs) and interface gateway endpoints hosted under our managed cloud infrastructure.
  • Web applications and digital service portals are natively developed, executed, and distributed by Voiceowl.

3. SCOPE OF VULNERABILITIES

This Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRF (Cross-Site Request Forgery), privilege escalation attacks, SQL Injection, XSS (Cross-Site Scripting), and directory traversal attacks.

This Policy excludes the following vulnerabilities, subject to the Company’s sole technical discretion:

  • General security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept.
  • Physical compromise, workspace intrusions, or office perimeter testing.
  • Rate limiting or brute-force issues on non-authenticated endpoints.
  • Compromises involving an internal insider or employee credentials.
  • Social engineering, including phishing attempts against staff.
  • Reflected file downloads or clickjacking on pages with no sensitive actions.
  • Account takeovers involving brute-force attacks on accounts that are not yours.
  • Red-teaming or adversarial testing of our services.
  • Content issues or responses generated by automated logic engines.
  • Denial of Service (DoS/DDoS) attacks.
  • Missing HttpOnly or Secure flags on cookies.
  • Dependency hijacking.
  • Any widely publicized zero-day vulnerabilities that have had an upstream patch available for less than 30 days.

4. REPORTING A VULNERABILITY

If you believe you have discovered a security vulnerability, please immediately report it via email to: [email protected].

When submitting a report, please include the following parameters:

  1. A detailed description of the potential vulnerability and its estimated business impact.
  2. Clear, reproducible step-by-step technical instructions or attack scenarios.
  3. Any proof-of-concept (PoC) code, terminal logs, or descriptive screenshots where applicable.
  4. The exact affected URLs, parameters, headers, or communication endpoints.

5. OUR COMMITMENT

All good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine that a vulnerability exists, we will validate its existence, confirm the status with you, and promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible.

Additionally, we commit to the following response timeline:

  • Protect your name and contact information, and refrain from disclosing such information without your consent, unless required by lawful legal process or law.
  • Refrain from taking legal action as long as your activities adhere strictly to the Safe Harbor criteria below.
  • Acknowledge receipt of your submission within three (3) business days.
  • Make best efforts to keep you updated as we complete our internal technical investigation and remediation tracking.

6. VULNERABILITY SCORING

Our technical scoring helps determine the internal tracking priority for reported vulnerabilities. While inspired by the Common Vulnerability Scoring System (CVSS v3.1), our assessment is customized to better align with our architecture, specific security priorities, and cloud computing infrastructure.

Scoring Components

  • Base Factors: Attack Vector (Network, Adjacent, Local, Physical), Privileges Required, User Interaction, and Scope changes.
  • Impact Metrics: Confidentiality Impact, Integrity Impact, and Availability Impact.

Severity Scale

Our scoring scale ranges from 0.0 to 10.0, with severity levels mapped as follows:

  • Critical: 9.0 – 10.0
  • High: 7.0 – 8.9
  • Medium: 4.0 – 6.9
  • Low: 0.1 – 3.9

7. REWARDS & ACKNOWLEDGEMENTS

This program is strictly a non-monetary vulnerability disclosure program. The Company does not offer monetary rewards, bug bounties, financial compensation, or public recognition assets (such as a Hall of Fame or badges) for reported vulnerabilities. Submissions must be entirely unconditional and made in the spirit of responsible disclosure.

8. SAFE HARBOR

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with applicable cybersecurity framework rules.
  • Exempt from restrictions in our standard Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy.
  • Lawful, helpful to the overall security of the internet, and conducted in good faith.

To qualify for safe harbor protection, you must strictly adhere to the following rules:

  • Make a good faith effort to avoid privacy violations, and avoid causing any harm to our systems, including avoiding data destruction, unapproved use, access, or acquisition.
  • Avoid causing any disruption to the information systems or customer user experiences (including initiating denial of service attacks or using automated tools that generate substantial amounts of network traffic).
  • Avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists. If a vulnerability exposes data belonging to others, stop testing immediately, submit a report, and delete all local copies of the information.
  • Do not exfiltrate, download, or otherwise retain any data collected during your validation.
  • Avoid disclosing the existence of, or any details relating to, the discovered vulnerability to any third party or to the public until you have received prior written approval from our security team.
  • Ensure disclosure is unconditional. Do not engage in extortion, threats, or other tactics to elicit a response under duress. Safe Harbor is immediately denied for any activities conducted under such circumstances.
  • You must not be listed on any international sanctions list or reside in a sanctioned country.