Welcome to the Smith.ai Responsible Disclosure Program

Rules of Engagement

To participate in Smith.ai’s Responsible Disclosure Program, you agree to the following:

1. Authorized Testing Only

  • Test only assets owned and operated by Smith.ai.
  • Do not test third-party services, vendors, integrations, or customer-owned systems.
  • Do not conduct physical security testing or social engineering (including phishing, vishing, or pretexting).

2. No Service Disruption

  • No Denial of Service (DoS), Distributed DoS (DDoS), or traffic flooding.
  • No automated scanning that degrades performance or availability.
  • No testing that impacts production stability.

3. Data Protection

  • Do not access, modify, delete, or exfiltrate user or customer data beyond what is strictly necessary to demonstrate the vulnerability.
  • If you gain access to accounts, systems, or sensitive data, stop testing immediately and report the issue.
  • Do not pivot deeper into systems after confirming access.

4. Responsible Handling of Findings

  • Do not upload vulnerability details, payloads, or customer information to public repositories or third-party platforms (e.g., GitHub, Dropbox, YouTube).
  • Do not publicly disclose vulnerabilities without written authorization from Smith.ai.
  • All payloads and documentation must use professional language.
  • If documenting public-facing vulnerabilities, ensure no client-identifying information is disclosed.

Out of Scope – Low Impact Findings

The following findings are generally considered low impact and will typically be marked as out of scope unless accompanied by clear evidence of meaningful security impact:

Information Disclosure / Configuration

  • Software version disclosure
  • Directory structure enumeration without sensitive exposure
  • Missing or incomplete SPF, DKIM, or DMARC records
  • Missing cookie flags without exploit demonstration
  • Missing or informational HTTP security headers
  • Server-status pages without sensitive data exposure
  • SSL/TLS best-practice findings without exploitability
  • Weak ciphers without demonstrated attack feasibility
  • Mixed content issues without sensitive exposure
  • IIS tilde disclosure without sensitive data
  • PHP info pages without sensitive data

Authentication / Session

  • Account/email enumeration via brute force
  • Username enumeration in common platforms (e.g., WordPress, SSH)
  • Low-impact session management issues (concurrent sessions, logout behavior, etc.)
  • Self-exploitation scenarios (e.g., reuse of own password reset token)
  • CSRF with low business impact (e.g., wishlist, cart changes, minor preferences)
  • Login/logout CSRF without demonstrated account compromise
  • Credential strength or password policy observations without exploitability

Injection / Client-Side

  • Self-XSS without multi-user impact
  • XSS requiring highly unlikely user interaction (e.g., specific key combinations)
  • Injection of arbitrary text without HTML, JavaScript, or hyperlink execution
  • Reflected File Download (RFD)
  • CSV injection without demonstrated exploitation
  • Use of known-vulnerable libraries that do not result in demonstrable impact

Browser / Client-Side Only

  • Clickjacking without sensitive state-changing actions
  • Browser autocomplete issues
  • Vulnerabilities affecting only outdated browsers or unsupported platforms

In Scope – Higher Impact Vulnerabilities

The following types of vulnerabilities may be considered in scope if properly demonstrated without violating Rules of Engagement:

  • Authentication bypass
  • Authorization bypass / privilege escalation
  • Sensitive data exposure
  • Remote code execution
  • SQL injection
  • Stored/persistent XSS affecting other users
  • Account takeover without requiring improbable victim behavior
  • CSRF resulting in meaningful account compromise or financial impact
  • Leakage of session cookies, credentials, or sensitive tokens (case-by-case evaluation)

Demonstration of impact is sufficient. Researchers must not perform full exploitation or large-scale compromise to validate severity.

Stop Testing Requirement

If you discover a vulnerability that allows access to sensitive systems, user data, administrative controls, or backend infrastructure:

  • Stop testing immediately.
  • Capture minimal evidence required to demonstrate impact.
  • Submit a report promptly.

Further exploitation beyond proof of concept is strictly prohibited.