Responsible Disclosure Policy

Our primary public attack surfaces are:

• In scope: smartemails.ai and *.smartemails.ai, the Chrome/Edge extension (extension ID on the store), our API endpoints, and the OAuth flows with Google and Microsoft.
• Out of scope: third-party services (Supabase, Vercel, Anthropic, Stripe), social-engineering attacks against our staff or customers, and physical attacks. Findings there should be reported to the affected vendor.

Send your findings by email. We do not operate a bug-bounty platform; private email is the only reporting channel.

• security@smartemails.ai — encrypt sensitive reports with our public PGP key, available on request.
• Please include: a description of the vulnerability, steps to reproduce, affected components, and any proof-of-concept you have. Use a test account for anything that touches live data.

If you report a vulnerability to us in good faith and act reasonably — you do not exfiltrate user data beyond what is strictly necessary to demonstrate the issue, you do not disrupt the service, and you give us reasonable time to fix before public disclosure — we commit not to pursue legal action against you, and we will not ask your provider or hosting platform to do so either.

• Acknowledge your report within 48 hours (business days).
• Triage, fix, and confirm resolution within 30 days for critical issues, 90 days for lower-severity findings. Longer timelines will be communicated with a rationale.
• Credit you publicly in our security advisories and on a /security/credits page once the fix is live — unless you prefer to remain anonymous.

We do not operate a paid bug-bounty program at this stage. What we can offer: a credit on our public researchers page, a SmartEmails lifetime account, and fast-tracked enterprise contract negotiation for your employer if that is relevant. If a bounty program is something that would make a difference to you, tell us — we track demand.