Sign inCreate account

Security and Vulnerability Disclosure

This Security and Vulnerability Disclosure page explains how to report potential security vulnerabilities in TellSpotAI and the rules for responsible reporting. It is not a bug bounty program and does not authorize testing that would otherwise be unlawful or harmful.

Effective
June 11, 2026
Updated
June 11, 2026
Version
2026.06.11

Overview

This Security and Vulnerability Disclosure page explains how to report potential security vulnerabilities in TellSpotAI and the rules for responsible reporting. It is not a bug bounty program and does not authorize testing that would otherwise be unlawful or harmful.

1. Reporting a Vulnerability

If you believe you have found a vulnerability, email [email protected] with the subject line "Security Vulnerability". Include a clear description, affected URL or feature, steps to reproduce, impact, screenshots or logs if safe to share, and your contact information if you want follow-up.

2. Rules for Responsible Reporting

  • Do not access, modify, delete, disrupt, or exfiltrate data that does not belong to you.
  • Do not perform denial-of-service, stress, load, spam, social engineering, phishing, physical attacks, or destructive testing.
  • Do not test third-party systems, customer websites, payment tools, messaging platforms, or Customer Contact Methods unless you have separate authorization from their owner.
  • Do not publicly disclose the vulnerability before TellSpotAI has had a reasonable opportunity to investigate and address it.
  • Stop testing and notify us immediately if you encounter personal data, confidential information, credentials, payment data, or data belonging to another customer or visitor.
  • Provide enough information for us to reproduce and validate the issue without causing harm.

3. Out-of-Scope Issues

Unless accompanied by a realistic security impact, the following are generally out of scope: missing security headers without exploitability, clickjacking on non-sensitive pages, rate-limit observations without abuse impact, self-XSS, outdated browser issues, social engineering, issues in third-party services not controlled by TellSpotAI, and reports based only on automated scanner output without validation.

4. What We May Do

We may investigate the report, contact you for more information, restrict affected features, rotate credentials, preserve logs, notify affected parties where required, work with vendors, and take corrective action. We may not provide detailed internal findings, confidential information, or public recognition.

5. No Compensation Commitment

TellSpotAI does not currently offer a public bug bounty, reward, or compensation program. Any recognition or compensation is at our sole discretion and must be agreed in writing.

6. Contact