Terms & Policies / Responsible Disclosure

Responsible Disclosure

This responsible disclosure policy explains how to report suspected vulnerabilities to XefAI and the standards we expect when security research is conducted in good faith.

Document Information

Last updated
March 7, 2026
Applies to
Security researchers, technical reviewers, partners, and any person reporting potential vulnerabilities affecting XefAI-owned public systems.

Policy Overview

How to report a security issue

If you believe you have discovered a security vulnerability affecting XefAI systems, websites, or publicly accessible assets, please report it to us as soon as possible at hello@xefai.com.

Include enough detail for us to reproduce and evaluate the issue responsibly. Good reports help us investigate faster and reduce unnecessary back-and-forth.

  • A description of the issue and why you believe it may create security risk
  • The affected URL, page, workflow, or system component
  • Steps to reproduce the issue, including proof-of-concept details where appropriate
  • Any relevant screenshots, logs, or request metadata that help validate the report

Expected researcher conduct

We ask security researchers to act in good faith, avoid privacy violations, and refrain from disrupting services, destroying data, or accessing information that is not necessary to demonstrate the issue.

Please do not use social engineering, denial-of-service techniques, destructive payloads, or attempts to access customer data beyond what is strictly required to identify the problem.

Our commitment

XefAI will review submitted reports, investigate credible issues, and work toward remediation based on risk and operational context. We may contact you for clarification during triage or validation.

We appreciate responsible disclosure and aim to communicate clearly throughout the review process. Response timing may vary depending on issue severity and reproducibility.

Scope and limitations

This process applies to security issues affecting XefAI-owned public properties and services. It does not grant authorization to perform intrusive testing, bypass access controls, or access third-party systems.

Issues involving customer environments, partner systems, or vendor platforms may need to be coordinated with the relevant party based on ownership and operational responsibility.

Public disclosure timing

We ask that reporters avoid public disclosure until we have had a reasonable opportunity to investigate and remediate the issue. Coordinated disclosure helps protect clients, users, and ecosystem partners from unnecessary exposure.

If you are unsure whether a finding is in scope, contact us first before proceeding further.

Need clarification?

Questions about this policy or your relationship with XefAI?

Contact our team for questions about data handling, security, commercial terms, or acceptable platform usage.

Contact XefAI →