Responsible Disclosure Policy

Last updated: May 2026

1. Our Commitment

Vera AI Solutions takes the security of its platform and the privacy of its users seriously. We recognise that independent security researchers play a valuable role in identifying vulnerabilities. If you have discovered what you believe to be a security issue in Vera AI, we encourage you to disclose it responsibly so we can investigate and address it promptly.

We commit to working with you in good faith, acknowledging your report promptly, keeping you informed of our progress, and not taking legal action against researchers who act within the scope of this policy.

2. Scope

This policy applies to the following systems and assets owned and operated by Vera AI Solutions:

  • The Vera AI web application and all routes under app.vera.ai
  • The Vera AI marketing website at vera.ai
  • All API endpoints under app.vera.ai/api
  • Authentication flows including email/password and Google OAuth
  • File upload and storage infrastructure
  • Billing and subscription management flows

The following are explicitly out of scope:

  • Third-party services including Supabase, Vercel AI Gateway, Stripe, Vercel infrastructure, and underlying model providers such as Anthropic or Google (report those to the respective vendors)
  • Social engineering attacks targeting Vera AI staff
  • Physical security of any facility
  • Denial of service attacks
  • Automated or high-volume scanning that disrupts service availability
  • Vulnerabilities in browsers, operating systems, or other software not controlled by Vera AI Solutions

3. What We Ask of Researchers

When investigating potential vulnerabilities, we ask that you:

  • Only test against accounts you own or have explicit permission to test.
  • Avoid accessing, modifying, or deleting data belonging to other users.
  • Do not exfiltrate, retain, or share user data discovered during testing.
  • Do not exploit a vulnerability beyond the minimum necessary to confirm it exists.
  • Do not perform denial of service testing, brute force attacks, or automated scanning at a rate that could affect platform availability.
  • Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and patch it.
  • Report your findings to us before disclosing to any third party.

4. What to Include in Your Report

A high-quality report helps us triage and resolve issues faster. Please include:

  • A clear description of the vulnerability and its potential impact.
  • The affected URL, endpoint, parameter, or component.
  • Step-by-step reproduction instructions.
  • Any payloads, proof-of-concept code, or screenshots that demonstrate the issue without disclosing actual user data.
  • Your assessment of severity such as a CVSS score if applicable.
  • Whether you have tested this against a production environment or a local instance.

5. Our Response Process

Upon receiving a report:

  • Acknowledgement - We will acknowledge receipt of your report within 3 business days.
  • Triage - We will assess the validity and severity of the reported issue within 10 business days.
  • Remediation - Critical vulnerabilities such as authentication bypass, data exposure, or privilege escalation will be prioritised and patched as quickly as possible, typically within 30 days. Less critical issues will be addressed in our normal development cycle.
  • Notification - We will notify you when the issue has been resolved.
  • Coordination - We ask that you allow us at least 90 days from initial report before any public disclosure, to allow time for patching and user protection.

6. Vulnerability Categories We Want to Hear About

  • Authentication and session management flaws such as session fixation or broken authentication
  • Authorisation issues including broken object-level or field-level access controls and IDOR vulnerabilities
  • Injection vulnerabilities such as SQL injection or command injection
  • Cross-site scripting (XSS) in any form
  • Cross-site request forgery (CSRF)
  • Insecure direct object references exposing user data across accounts
  • Row-level security (RLS) bypass in our Supabase database
  • Exposure of secret keys, service-role tokens, or API credentials
  • File upload vulnerabilities allowing execution of arbitrary code
  • Payment flow vulnerabilities including subscription bypass or billing manipulation
  • Prompt injection or AI safety issues within the agent system that could cause harm to users

7. Safe Harbour

Researchers who follow this policy in good faith will not face legal action from Vera AI Solutions. We consider responsible security research to be a legitimate and valuable activity. We will not refer reports to law enforcement where the researcher has complied with this policy. If legal action is initiated by a third party against a researcher for conduct consistent with this policy, Vera AI Solutions will make it known that the research was conducted in accordance with our guidelines.

8. How to Report

Send your report by email to: info@veraaisolutions.com.au. Please encrypt sensitive reports using PGP if possible and request our public key in your initial message. Do not report security vulnerabilities through public GitHub issues, social media, or the general contact form.