sam-logo

mysamantha

Sign inStart for $0start arrow

Vulnerability Disclosure Program

Last Updated: October 8, 2025Version: 1.0

Security and vulnerability disclosure illustration

Introduction & Purpose

At mysamantha.ai, we are committed to the security and safety of our users and systems. This Vulnerability Disclosure Program (VDP) describes how security researchers and ethical hackers may responsibly report vulnerabilities they discover in our systems, and how we will respond.
We aim to foster collaboration and trust, and to ensure vulnerabilities are addressed in a safe, structured manner.

What is In Scope & Out of Scope

In Scope

The following assets are within the scope of this VDP:

  • Public production domains and subdomains under mysamantha.ai
  • Public APIs (REST, GraphQL) exposed as part of our service
  • Mobile client applications (if released as part of mysamantha.ai)
  • Web applications and services that support user-facing or API endpoints
  • Infrastructure components (e.g., load balancers, web servers) supporting the above

Out of Scope

The following are explicitly out of scope:

  • Internal development, staging, or pre-production environments (unless explicitly authorized)
  • Denial-of-Service (DoS, DDoS) attacks or flooding
  • Social engineering, phishing, spam, or attacks on physical infrastructure
  • Third-party services, integrations, dependencies (unless we explicitly include them)
  • Non-security issues such as performance bugs, UX, or visual defects

If you believe something technically out of scope is related (e.g., third-party plugin vulnerability exploited via us), please reach out to us and we will evaluate case-by-case basis.

Rules of Engagement / Researcher Guidelines

To help maintain safety, the following rules apply to all testing:

  • Test only within scope and only to the extent necessary to confirm a vulnerability.
  • Do not exploit vulnerabilities to exfiltrate, destroy, or modify data or systems.
  • Do not pivot to other systems not explicitly in scope.
  • Do not perform DoS or flooding tests.
  • If your testing accidentally accesses sensitive or private data, stop immediately and report.
  • Use a safe, non-destructive proof-of-concept (PoC) that demonstrates vulnerability.
  • Respect rate limits, usage caps, and avoid interfering with normal users.
  • Maintain confidentiality of the vulnerabilities; do not publicly disclose until we've had a chance to remediate (or as per disclosure clause).
  • Avoid substantial disruption of production systems or services.

Reporting Process & Format

To submit a vulnerability, please follow these steps:

Preferred submission method:

Send a report to samantha@zemuria.com

Recommended report format/fields:

FieldDescription
Summary / TitleBrief title of the issue
Affected asset(s)Domain, API endpoint, parameter, etc.
Severity & impactWhat is the harm (e.g. data leak, privilege escalation)
Steps to reproduce / PoCClear, reproducible steps or proof-of-concept code
Observed behavior & expectedWhat you saw vs. what should happen
Suggested mitigation(optional) Your thoughts on a fix or a workaround
Attachments/logs/screenshotsIf helpful
Timestamp/environmentBrowser, OS, API version, etc.

Upon receiving your report, we will send an acknowledgement within 1-2 business days. (We reserve the right to filter, validate, and request more information.)

Safe Harbor & Recognition

We greatly appreciate responsible security reporting. Researchers who submit valid, good-faith reports may receive exclusive mysamantha.ai merchandise as a token of appreciation for their valuable contributions.

Malicious or reckless behaviour, however, may result in legal or administrative action. Please ensure your testing follows the rules outlined in this policy to stay within safe harbor.

Response, Verification & Remediation Timeline

We commit to the following internal SLAs (subject to change as our program evolves):

  • Acknowledgement: within 2 business days of receiving your report
  • Initial triage/classification: within 4 business days
  • Fix/mitigation / patching rollout: target within 7 calendar days (based on severity)
  • Final notification: We will inform you when the issue is resolved, and may request your review or confirmation.

Where reasonable, we may request extensions or coordinate with you on timelines. For certain severe vulnerabilities, we may issue interim mitigations or workarounds.

If we cannot fix within the target window, we will communicate status and next steps.

Disclosure & Recognition

After the issue is resolved (or at our discretion), we may publish a vulnerability advisory describing the issue, root cause, and mitigation. With your permission, we may credit you (name or alias) as the reporter in such advisories.

If you do not wish to be credited, please indicate in your report.

We request that you do not publicly disclose the vulnerability until after the fix is live, or as mutually agreed.

Exclusions / Disclaimers

This policy does not provide authority to perform testing on systems outside our control. All other legal rights and remedies remain unaffected.
We reserve the right to refuse or disregard reports that are frivolous, duplicate, out of scope, or that involve prohibited activities.

Versioning, Updates & Contact

We may revise this policy from time to time. The "Last Updated" date above reflects the current version.

For any questions about this policy or your report, contact: samantha@zemuria.com

Vulnerability Disclosure | Samantha AI Security