Security Policy
We take security seriously. If you discover a vulnerability, please report it responsibly.
How to Report a Vulnerability
We appreciate security researchers who help keep VincData AI safe.
If you believe you've discovered a security vulnerability in VincData AI's systems, please report it to us by emailing:
Please include the following information in your report:
- A detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity assessment
- Any proof-of-concept code (if applicable)
- Your contact information for follow-up
In Scope
These systems and vulnerability types are eligible for reporting.
Covered Systems:
- vincdata-ai.com and all subdomains
- VincData AI web applications and APIs
- AIDesktop application and related services
- Authentication and authorization systems
Priority Vulnerabilities:
- Remote code execution (RCE)
- SQL injection (SQLi)
- Cross-site scripting (XSS)
- Authentication bypass
- Server-side request forgery (SSRF)
- Privilege escalation
- Significant data exposure
- Security misconfigurations leading to data breach
Out of Scope
These issues are not eligible for security vulnerability reports.
- Denial of Service (DoS) attacks
- Social engineering attacks against VincData AI employees or users
- Physical security issues
- Spam or social engineering techniques
- Issues in third-party applications or services
- Missing security headers without a demonstrated impact
- Self-XSS or issues requiring significant user interaction
- Clickjacking on pages with no sensitive actions
- Missing best practices without security impact
- Reports from automated tools without validation
Response Times
What to expect after submitting a vulnerability report.
Resolution time depends on the severity and complexity of the issue. We aim to address critical vulnerabilities within 30 days of validation.
Safe Harbor Policy
Protection for good faith security research.
VincData AI is committed to working with security researchers to protect our users. We consider security research conducted in accordance with this policy to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
- Exempt from restrictions in our Terms of Service that would interfere with conducting security research, and we waive those restrictions on a limited basis
- Lawful, helpful to the overall security of the Internet, and conducted in good faith
Important: You must make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services. Please only interact with test accounts you own or with explicit permission from the account holder.
Responsible Disclosure Guidelines
To ensure responsible disclosure, please:
- Allow reasonable time for us to investigate and address the issue before public disclosure
- Avoid violating the privacy of users, destroying data, or interrupting our services
- Do not access or modify user data without explicit permission
- Do not execute attacks that could harm reliability or integrity of services
- Only test against test accounts you own or have permission to use
- Do not publicly disclose the vulnerability before we've issued a fix
- Do not demand payment or compensation for reporting vulnerabilities
We appreciate the security community's efforts and may publicly acknowledge researchers who help us improve our security (with their permission).
For general security inquiries or questions about this policy:
security@vincdata.caThis policy is effective as of December 23, 2025