Welcome to the Smith.ai Responsible Disclosure Program

Smith.ai is committed to maintaining the security and integrity of our systems and customer data. By submitting a vulnerability report to Smith.ai, you agree to the Terms of Service.
Get started

Program Overview

If you believe you have identified a security vulnerability in a Smith.ai-owned system, we encourage you to report it responsibly. This program is intended for application security vulnerabilities affecting systems owned and operated by Smith.ai.

This is not a bug bounty program. Smith.ai does not provide monetary rewards or compensation for vulnerability submissions.

We welcome responsible security research conducted in good faith and in accordance with our program rules.

Typical Vulnerabilities Accepted

We generally accept reports involving:

  • OWASP Top 10 vulnerability categories (e.g., Injection, Broken Access Control, XSS, etc.)
  • Authentication bypass
  • Authorization bypass / privilege escalation
  • Sensitive data exposure
  • Account takeover (without improbable user interaction)
  • Other vulnerabilities with clearly demonstrated security impact

Impact must be demonstrable. Theoretical findings without practical exploitability are typically out of scope.

Typical Out of Scope

The following are generally considered out of scope:

  • Theoretical vulnerabilities without proof of exploitability
  • Informational disclosure of non-sensitive data
  • Low-impact session management issues
  • Self-XSS (user-defined payload)
  • Vulnerabilities requiring extremely unlikely user interaction
  • Best-practice or configuration observations without demonstrated impact

For a full description of scope and rules of engagement, please review here.

Disclosure Guidelines

To participate in this program, you agree to:

  • Provide a detailed description and proof of concept sufficient to reproduce the issue.
  • Limit testing to Smith.ai-owned systems.
  • Avoid disruption, including Denial of Service (DoS) testing.
  • Avoid accessing, modifying, or exfiltrating data beyond what is strictly necessary to demonstrate the vulnerability.
  • Immediately stop testing if you gain access to sensitive systems or data.
  • Not engage in social engineering, phishing, or physical security testing.
  • Not publicly disclose vulnerabilities without written authorization from Smith.ai.
  • Not request compensation, payment, or reimbursement for vulnerabilities discovered.

Good Faith Commitment

If you act in good faith and follow our Terms of Service, Smith.ai will not pursue legal action related to your research conducted in compliance with the program.