Vulnerability Disclosure Policy

Last updated: April 28, 2026

Virescent.ai takes the security of our systems and our customers' data seriously. We welcome reports from security researchers acting in good faith and are committed to working with you to verify, reproduce, and respond to legitimate reports.

Reporting a Vulnerability

Please send vulnerability reports to security@virescent.ai.

A useful report includes:

• A clear description of the issue and its potential impact
• Steps to reproduce, including any URLs, payloads, accounts, or tooling required
• Any proof-of-concept code or screenshots
• Your name or handle if you'd like to be acknowledged (optional)

Please do not include sensitive customer data, third-party data, or unnecessary personal information in your report. If you've inadvertently accessed such data while researching, let us know and stop further access.

What You Can Expect From Us

• Acknowledgment of your report within 3 business days
• A triage decision (valid / duplicate / out of scope) within 10 business days
• Periodic status updates until the issue is resolved
• Public credit in our acknowledgments, with your permission, once a fix is shipped

Scope

In scope:

• virescent.ai and subdomains we operate (e.g., www.virescent.ai, trust.virescent.ai)
• Production application code and APIs we host
• Security-impacting issues in our public-facing infrastructure

Out of scope:

• Third-party services we use (Render, Vanta, Google Workspace, etc.) — please report those directly to the vendor
• Physical attacks, social engineering of our staff or customers, or attacks against our office or personal accounts
• Denial-of-service attacks, volumetric testing, or stress testing
• Automated scanner output without a demonstrated, exploitable impact
• Findings that require a compromised account, rooted device, or man-in-the-middle position you control on both ends
• Issues in software we don't maintain (e.g., reports against a dependency's published CVE without a working exploit against our deployment)
• Theoretical issues without a practical security impact (e.g., missing security headers without a demonstrated attack, weak TLS cipher suites already disabled by modern browsers, version-disclosure banners)
• Reports generated solely by AI assistants without independent verification

Researcher Guidelines

We ask that you:

• Give us a reasonable opportunity to remediate — typically 90 days from report — before public disclosure. We're happy to discuss timing if you have constraints.
• Avoid privacy violations, degradation of service, destruction of data, and interruption of users.
• Do not exfiltrate data beyond the minimum necessary to demonstrate the vulnerability.
• Do not run automated scanners against production. If you'd like to test at scale, contact us first and we'll coordinate.
• Do not perform tests that could degrade service for our customers (DoS, brute-force, resource exhaustion).
• Use only your own accounts or accounts you've been given explicit permission to test.
• Stop and notify us if you encounter customer data, employee data, or anything that looks like personally identifiable information.

Safe Harbor

We will not pursue legal action against, or report to law enforcement, security researchers who:

1. Act in good faith to identify and report vulnerabilities
2. Comply with this policy and the researcher guidelines above
3. Make a reasonable effort to avoid privacy violations, data destruction, and service degradation
4. Give us a reasonable opportunity to remediate before disclosing publicly

To the extent your activities are consistent with this policy, we authorize them under the U.S. Computer Fraud and Abuse Act (CFAA), the DMCA, and analogous state laws, and we waive any related claims against you. This authorization does not extend to activities that violate this policy or applicable law.

If legal action is initiated by a third party against you for activities conducted in good faith under this policy, we will take steps to make it known that your actions were authorized.

Rewards

Virescent.ai does not currently offer a monetary bug bounty. We do offer public acknowledgment for the first researcher to report a unique, valid issue, with their consent.

Contact

• Security reports: security@virescent.ai
• General inquiries: hello@virescent.ai
• security.txt: /.well-known/security.txt

Thank you for helping keep Virescent.ai and our customers safe.