Disclosure Policy

Date of Last Revision: Jan 13, 2026

Guidelines for Responsible Reporting

To ensure your findings are evaluated quickly and to protect the integrity of our services, we ask that security researchers adhere to the following guidelines:

  1. Do No Harm: Avoid any action that could potentially or actually cause harm, including denial-of-service, disrupting our services, or negatively impacting our customers, team members, or other individuals.
  2. Protect Data: Do not retain, share, modify, or destroy any Iterate.ai data. If you encounter any Confidential, Proprietary, or Personal Data, you must immediately cease testing, delete the data from your systems, and report the incident to us without delay.
  3. Legal Compliance: Ensure your research and reporting activities comply with all applicable local, state, and federal laws. Avoid any fraudulent activities.
  4. Maintain Confidentiality: All communication regarding potential vulnerabilities must remain confidential. Refrain from disclosing any information about the vulnerability to third parties or making it public until Iterate.ai has confirmed and resolved the issue.

Our Commitment to Researchers: By complying with these guidelines and responsibly reporting your findings, Iterate.ai commits to not pursuing legal action against you, except where required by law, regulatory authorities, or third parties.

Exclusions from Scope

The following issues are considered out-of-scope for this disclosure policy, as they generally have minimal security impact or are related to known platform limitations:

  • Issues related to SPF, DKIM, or DMARC records.
  • Clickjacking/UI redressing vulnerabilities.
  • Vulnerabilities that affect outdated browsers or platforms.
  • Theoretical risks without a practical, validated proof of concept.
  • Findings generated solely from automated vulnerability scanners.
  • Issues related to SSL/TLS cipher suites or protocols (unless rated as severe).
  • Tab-nabbing and Self-XSS.
  • Content spoofing and mixed content warnings.
  • Cross-Site Request Forgery (CSRF) with minimal security impact (e.g., logout).
  • Missing HTTP security headers (e.g., Strict-Transport-Security, X-Content-Type-Options).
  • XSS related to HTTP Host/Referer Headers.
  • Inadequate cookie security flags (unless tied to a broader vulnerability).
  • Content/text injection mitigated by CSP Headers.
  • User enumeration (e.g., via signup/login forms).
  • Phishing attempts.
  • Public file or directory disclosures or internal IP exposures without exploitation potential.
  • Reports regarding assets not owned by Iterate.ai.
  • Disclosures of software version numbers.

How to Report a Security Vulnerability

If you have identified a potential security vulnerability, please follow these steps to ensure rapid response:

  1. Prepare Your Report: Your report should be detailed and include the nature of the vulnerability, the potential impact, the steps taken to discover it, and any necessary steps or code to replicate the issue.
  2. Secure Communication: Email your findings directly to our security team at security@iterate.ai.
  3. Collaborate With Us: We may reach out for further clarification. Your prompt and thorough cooperation is vital to expedite the resolution process.
  4. Maintain Confidentiality: Please respect the confidentiality period until we confirm the vulnerability is resolved.

What to Expect from Us

  • Our security team will thoroughly evaluate your report and may contact you for additional information.
  • We recognize the valuable contribution of responsible researchers, even without a monetary reward.
  • We commit to keeping you informed about the status of your reported issue throughout the remediation process, where possible.