Responsible Disclosure

Quick Summary

Report privately to security@invoicifyai.com.
Avoid accessing customer data, disrupting service, or using social engineering.
We acknowledge within 3 business days (≤ 1 day for Critical/P0) and keep you updated during remediation.
No paid bounty today; we offer recognition for impactful reports.

We take the security of InvoicifyAI and our multi-tenant customers seriously. This policy explains what is in scope, how to report a suspected vulnerability, and the conditions of our safe harbor so researchers can help us protect customer workspaces responsibly.

Scope

In Scope

Domains: invoicifyai.com and subdomains operated by InvoicifyAI (e.g., app.invoicifyai.com, api.invoicifyai.com).
Product: SaaS application, APIs, authentication flows, webhooks, and tenant- and role-based authorization (Row-Level Security/RLS).

If you are unsure about scope, contact security@invoicifyai.com before testing. We follow the spirit of ISO/IEC 29147 (Vulnerability Disclosure) and 30111 (Vulnerability Handling) when processing reports.

How to Report a Vulnerability

Email security@invoicifyai.com with as much detail as possible. You may encrypt the message if it contains sensitive data.

A clear description, potential impact, and exact reproduction steps (URLs, payloads, headers).
Screenshots or proof-of-concept material kept minimal and safe.
Timestamps (UTC), source IPs used for testing, and relevant test account details.
Do not include real customer PII or active secrets. If a key or token was exposed, rotate it first, then share only the last four characters and the rotation time.
Your preferred contact information so we can coordinate follow-up questions.

Rules of Engagement

While evaluating our platform, you must follow these guidelines to remain within the safe harbor of this policy:

Never access, modify, or delete data that belongs to another company tenant.
Avoid service degradation, rate abuse, fraudulent transactions, or disruptive automation.
No social engineering, phishing, physical intrusion, or DDoS testing.
Use non-production test accounts only; do not use real customer data.
Keep automated testing to low, human-like rates; avoid concurrent scanning or fuzzing that could trigger abuse defenses.
No credential reuse against other endpoints or tenants.
No data exfiltration beyond the minimum needed to demonstrate impact.
Allow reasonable time for remediation before any public disclosure.

Safe Harbor & Recognition

We will not pursue legal action under anti-hacking statutes (e.g., CFAA, DMCA §1201) or initiate civil or criminal investigations provided you:

Act in good faith and follow this policy.
Avoid privacy violations, data destruction, and service disruption.
Promptly report the issue and never misuse it.
Work with us on coordinated disclosure timelines.

Safe harbor does not extend to actions that are unlawful in your jurisdiction. We operate a recognition-only program: impactful reports may receive written acknowledgement or a discretionary note of thanks with your consent.

Severity & SLA Targets

We triage using CVSS and business impact. Target timelines are:

Critical (P0): RCE, auth bypass, cross-tenant data access, credential leakage, SSRF to metadata service — acknowledge ≤ 1 business day, mitigation plan ≤ 7 days.
High (P1): SQL injection, stored XSS on sensitive paths, IDOR with meaningful impact — acknowledge ≤ 3 business days, fix ≤ 30 days.
Medium/Low (P2/P3): Hardening issues or informational findings — acknowledge ≤ 5 business days, scheduled per priority.

We provide status updates through closure and may request re-testing to confirm fixes. If we detect active exploitation, we may accelerate timelines and implement immediate mitigations (for example, feature flags or WAF rules).

Recognition, Duplicates, and Disclosure

No guaranteed monetary rewards today. Impactful reports may receive written recognition or a discretionary thank-you.
If a report is substantially similar to one we previously received, we credit the first reproducible submission.
Recognition is discretionary and contingent on impact and adherence to this policy.
We support coordinated disclosure. Please wait until a fix ships or 90 days elapse (extensions by mutual agreement) before publishing details.

Out of Scope & Non-Qualifying Issues

The following findings are generally out of scope for recognition. If you are unsure, contact us before investing time.

Third-party platforms or services (cloud, email, CDN, etc.) unless they directly compromise InvoicifyAI-managed data.
Email configuration gaps such as SPF/DKIM/DMARC alignment or BIMI (we will address these but they are not eligible for recognition).
Reports without clear evidence of security impact (e.g., missing security headers).
Denial-of-service attacks, brute force testing, automated high-rate scans, or volumetric load testing.
Common misconfigurations in customer-managed integrations or demo tenants.
Findings that rely on already-compromised credentials or social engineering.
Self-XSS that requires a user to paste code into their own browser console.
Open redirects without a demonstrated exploit chain (e.g., no OAuth token theft or phishing bypass).

Our Response Process

Acknowledgement: We confirm receipt within 3 business days (≤ 1 business day for P0).
Initial assessment: Security and engineering triage the report, reproduce the issue, and assign a severity.
Remediation: We develop and deploy a fix. We may ask you for more details or to re-test.
Closure: Once mitigated, we share the outcome and any recognition we can offer.

If we do not respond in the expected window, please follow up. We are committed to keeping this inbox monitored.

Hall of Fame

Thank you to the researchers who help keep InvoicifyAI secure. We will list contributors here at their request once we begin publishing acknowledgements.