Vulnerability Disclosure Policy
Last updated: February 13, 2026
HAIEC Inc. takes the security of our platform seriously. We welcome responsible disclosure of security vulnerabilities from security researchers and the community.
How to Report a Vulnerability
Email: security@haiec.com
Please include the following in your report:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected URL(s) or API endpoint(s)
- Your assessment of severity (Critical, High, Medium, Low)
- Any proof-of-concept code or screenshots
- Your name and contact information (for acknowledgment, if desired)
In Scope
- haiec.com and all subdomains
- HAIEC API endpoints (api.haiec.com)
- HAIEC GitHub App
- HAIEC npm/PyPI packages
- Authentication and authorization flaws
- Data exposure or leakage
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- SQL injection
- Insecure direct object references (IDOR)
- Business logic vulnerabilities
Out of Scope
- Denial of service (DoS/DDoS) attacks
- Social engineering or phishing attacks against HAIEC employees
- Physical attacks against HAIEC offices or data centers
- Vulnerabilities in third-party services (Vercel, Neon, Stripe, etc.)
- Issues that require physical access to a user's device
- Clickjacking on pages with no sensitive actions
- Missing security headers that do not lead to a direct vulnerability
- Software version disclosure without a demonstrated exploit
- Rate limiting issues on non-authentication endpoints
Our Response Commitments
| Action | Timeline |
|---|---|
| Acknowledge receipt of report | Within 2 business days |
| Initial assessment and severity classification | Within 5 business days |
| Status update to reporter | Within 10 business days |
| Remediation of confirmed vulnerabilities | Based on severity (see below) |
| Notification to reporter upon fix | Within 2 business days of fix |
Remediation Targets by Severity
- Critical: 72 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
Safe Harbor
HAIEC will not pursue legal action against security researchers who:
- Act in good faith to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts they own or with explicit permission
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Report vulnerabilities promptly and do not disclose publicly before we have had reasonable time to remediate
- Do not use automated scanning tools that generate excessive traffic
We consider security research conducted in accordance with this policy to be authorized and will not pursue civil or criminal action.
Recognition
We appreciate the security research community's efforts. For valid reports, we offer:
- Public acknowledgment (with your permission) on this page
- A letter of appreciation for your professional portfolio
HAIEC does not currently operate a paid bug bounty program.
Please Do Not
- Access, modify, or delete data belonging to other users
- Perform actions that could degrade service for other users
- Use automated vulnerability scanners without prior coordination
- Disclose vulnerability details publicly before remediation
- Demand payment in exchange for not disclosing a vulnerability