Responsible Disclosure
Security vulnerability reporting policy
← Back to scrutinyai.io
Our Commitment
Scrutiny AI is a security company. We hold ourselves to a higher standard than the industry we serve. If you have identified a genuine security vulnerability in our systems, we want to know. We will treat your report seriously, respond promptly, and work to resolve confirmed issues.
We will not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.
How to Report
Send your report by email to contact@scrutinyai.io with the subject line Security Vulnerability Report.
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- The potential impact as you understand it
- Any proof-of-concept code or screenshots
You may optionally encrypt your report using our public key, which is available at api.scrutinyai.io/public-key.
What We Commit To
- Acknowledge receipt of your report within 5 business days
- Confirm whether the vulnerability is valid within 14 days
- Provide a resolution timeline for confirmed vulnerabilities
- Notify you when the issue is resolved
- Credit you in any public disclosure if you wish
In Scope
- scrutinyai.io — this website
- api.scrutinyai.io — the Scrutiny AI API
- Any other service operated under the scrutinyai.io domain
Out of Scope
- Denial-of-service attacks
- Social engineering of Scrutiny AI personnel
- Vulnerabilities in third-party services not under our control
- Findings from automated scanning without manual verification
Our Expectations
- Do not access, modify, or delete data belonging to other users
- Do not disrupt our services
- Do not publicly disclose the vulnerability before we have had reasonable time to resolve it
- Act in good faith