Responsible Vulnerability Disclosure
If you believe you have found a security issue, please report it to us before making it public. We will review your report, investigate the issue, and take appropriate action where necessary.
Our goal is to handle reports transparently, responsibly, and without creating unnecessary risk for users, systems, data, or third-party services.
Scope
This policy applies to:
iamvera.ai- Public web services operated under the
iamvera.aidomain - Authentication, session handling, API endpoints, form handling, and document-processing workflows related to I am Vera
Out of Scope
The following are not considered eligible security reports unless they demonstrate a clear, practical security impact:
- Automated scanner output without verified exploitability
- Missing security headers without a demonstrable risk
- Denial-of-service testing
- Social engineering, phishing, or physical attacks
- Issues affecting third-party AI providers, hosting providers, or external services outside our direct control
- Reports requiring access to accounts, systems, or data that you do not own or have explicit permission to test
Rules for Testing
When conducting security research, please:
- Do not access, modify, delete, or exfiltrate data that does not belong to you
- Do not disrupt the availability or integrity of our services
- Do not attempt denial-of-service attacks
- Do not use social engineering against our staff, users, or suppliers
- Stop testing immediately if you encounter sensitive data and report the issue responsibly
- Provide enough technical detail for us to reproduce and verify the issue
How to Report
Please send security reports to:
Include:
- A clear description of the vulnerability
- The affected URL, endpoint, or component
- Steps to reproduce the issue
- The potential impact
- Any relevant screenshots, logs, proof-of-concept code, or HTTP requests
If security@iamvera.ai is unavailable, reports may also be sent to hello@iamvera.ai.
Response Process
We aim to acknowledge valid security reports within a reasonable timeframe. After receiving a report, we will assess the issue, determine its severity, and prioritise remediation based on risk.
We may contact you for additional information if required. Once the issue has been resolved, we may acknowledge your contribution if you would like to be credited.
No Bug Bounty Programme
I am Vera does not currently operate a paid bug bounty programme. Submitting a report does not create any entitlement to compensation, reward, or employment.
Safe Harbour
We will not pursue legal action against researchers who act in good faith, follow this policy, avoid harm to users or systems, and report vulnerabilities responsibly.
This safe harbour does not apply to actions that are malicious, destructive, unlawful, privacy-invasive, or outside the scope of this policy.
Data Protection
If your research accidentally exposes personal data, confidential information, API keys, tokens, documents, prompts, model responses, or other sensitive material, stop immediately and report the issue.
Do not copy, store, share, or further access the data.
Updates
This policy may be updated as I am Vera develops. The latest version will always be available at:
https://iamvera.ai/security-policy/
Last updated: 3 July 2026