Security
Bug Bounty Program
Last updated: 23/09/2025
Genie AI is committed to protecting our users' data and building secure products. We welcome responsible disclosure of vulnerabilities from the security community and offer monetary rewards for findings that help us improve our security posture.
Contact: security@genieai.co
Effective date: 23/09/2025
1.Scope
In-scope targets include production services that Genie AI owns and operates. If something is not explicitly listed here, consider it out of scope unless we confirm otherwise in writing. Excluded assets are listed under "Out of scope" below.
Web apps and APIs
app.genieai.co
*.genieai.co
Infrastructure
Interfaces exposed from Genie AI-owned cloud accounts
2.Expected Testing Environment
Use test accounts only. Do not access, modify, or exfiltrate real customer content, documents or personal data.
If you unintentionally access sensitive data, stop, collect minimal evidence and report immediately.
3.Out of Scope
The following are not eligible for a bounty:
Social engineering, phishing, vishing or physical security attacks
Denial of service or volumetric attacks, traffic floods, or automated scanning that degrades service
Spam or marketing-related issues
Missing or misconfigured email records (e.g. SPF/DMARC) without clear exploitability
Vulnerabilities in third-party platforms or services we do not control
Clickjacking on non-sensitive pages
CSRF without meaningful impact
Rate-limiting suggestions without proven abuse path
Software version banners or lack of security headers without exploit path
Reports consisting only of automated tool output without proof of concept
4.Responsible Disclosure Policy
We follow the principles of the UK NCSC Vulnerability Disclosure Toolkit:
Make a good-faith effort to avoid privacy violations, data destruction and service disruption.
Allow us a reasonable time to resolve the issue before disclosure. Our standard embargo is 90 days from acknowledgement, extendable by agreement.
Do not publicly disclose or share vulnerability details before remediation.
If the vulnerability involves third-party components, we may coordinate with the relevant vendors.
5.Legal Safe Harbour
We will not pursue legal action against researchers for accidental, good-faith violations of this policy. Activities conducted in accordance with this policy are considered authorised, and we waive any claims under the DMCA or Computer Misuse Act.
Conditions:
Report promptly and minimise data access to demonstrate the issue.
Do not exploit vulnerabilities beyond the minimal proof of concept.
Do not compromise privacy, intellectual property, or availability.
Comply with applicable laws, including the UK GDPR and the Data Protection Act 2018.
If in doubt, please contact us at security@genieai.co before proceeding.
6.Reward Guidelines
Bounties are determined by impact, likelihood and report quality, guided by CVSS v4.0. All amounts are in USD and represent typical maximums; awards may be adjusted up or down.
| Severity | Typical Examples | Bounty Range (USD) |
|---|---|---|
| Critical | Unauthenticated RCE, full account takeover, unrestricted data exfiltration, supply chain compromise | $500 - $1000 |
| High | Authentication bypass, significant privilege escalation, stored XSS with sensitive data access, SSRF with metadata access | $250 - $500 |
| Medium | Reflected XSS with meaningful impact, IDOR on non-sensitive objects, CSRF with state change | $100 - $250 |
| Low | Information disclosure with limited impact, low-risk rate-limit bypass | $50 - $100 |
| Note | Novel attack paths, comprehensive fixes or outstanding research quality | Discretionary |
Factors influencing awards:
Impact to confidentiality, integrity and availability
Number of users and sensitivity of affected data (especially legal documents and personal data)
Ease of exploitation and presence of mitigations
Clarity and reproducibility of the report
7.Submission Requirements
Please include:
A clear description of the vulnerability and affected component
Step-by-step reproduction including URLs, account type and required preconditions
Proof-of-concept code, payloads or screenshots
Expected vs actual behaviour
Impact assessment and suggested remediation
Your name and preferred contact details
Submit via email security@genieai.co
8.Triage and Response SLAs
We operate in the Europe / London time zone.
First response: within 2 business days
Triage decision and severity: within 5 business days
Status updates: at least weekly until resolution
Bounty decision and payment: within 30 days of validation
For complex issues, we will provide an updated timeline.
9.Programme Rules
Do not perform actions that could degrade service for other users
Do not access or modify data that does not belong to you
Use only your own test accounts and documents
Automated scanning must respect robots.txt and reasonable request rates
No extortion or threats
No public disclosure before remediation without explicit written consent
Violations of these rules may disqualify a submission.
10.Data Protection for Legal Tech
Given the sensitivity of legal documents:
Never upload or access real client files or personal data during testing
If testing document features, use redacted or synthetic content only
If you inadvertently access customer data, stop immediately and report minimal details necessary to help us remediate
We may ask you to sign a short confidentiality acknowledgment for high-impact issues
11.Exclusions and Third-Party Assets
Vulnerabilities in dependencies or services not managed by Genie AI are generally ineligible, though we may facilitate coordinated disclosure
Cloud provider infrastructure without a direct impact to a Genie AI asset is out of scope
Open-source projects we maintain may have separate security policies
12.Payment Process
Payments available via PayPal, Revolut or UK/EU/US bank transfer (USD)
You must be eligible to receive payments under your local laws and export restrictions
We cannot pay individuals on sanctions lists or in embargoed countries