Effective date: August 18, 2025
Contact: security@hyvery.com
Optional encryption: PGP (see “Encrypting Your Report”)
Applies to: Hyvery-owned domains, apps, and infrastructure as defined in Scope.
Hyvery welcomes good‑faith security research and responsible disclosure. This policy defines how to report vulnerabilities to us, what testing is allowed, our commitments to researchers, and our safe‑harbor terms.
In scope (examples):
Production SaaS: app.hyvery.com, api.hyvery.com, trust.hyvery.com
Corporate websites and docs under *.hyvery.com
Mobile apps and their API backends
Out of scope (examples):
Third‑party services we do not own/control (cloud hosting, email providers, status pages hosted by third parties)
Customer‑owned environments or integrations managed by customers
Social engineering, physical intrusion, and denial‑of‑service (DoS/DDoS) attacks
Automated scans that degrade service or brute‑force attacks against rate limits
If you’re unsure whether a target is in scope, email security@hyvery.com first.
Send to security@hyvery.com with:
A clear summary of the issue and impact
Steps to reproduce (URLs, parameters, test account details)
Proof‑of‑concept (minimal, non‑destructive) and affected versions
Timeframes/Request IDs and any relevant headers or logs
Your contact and how we may publicly credit you (optional)
Please avoid accessing, modifying, or exfiltrating data that isn’t yours. If you encounter Personal Data, stop testing, minimize exposure, and notify us immediately.
Acknowledgement: within 24 hours (business days for non‑critical)
Triage & disposition: within 3 business days
Remediation targets: Critical ≤ 7 days, High ≤ 14 days, Medium ≤ 30 days, Low ≤ 90 days (or as agreed)
Disclosure window: We encourage coordination with a default 90‑day window. We may request a reasonable extension for complex fixes; we may also disclose sooner for active exploitation.
We’ll keep you informed of material status changes and invite validation testing after remediation.
If you make a good‑faith effort to comply with this policy:
No legal action: Hyvery will not initiate or recommend legal action under the CFAA, DMCA 1201, anti‑hacking, or similar laws for your research.
No contract breach claims: We will not pursue claims for bypassing technical controls, rate limits, or ToS restrictions that are strictly necessary to prove a vulnerability and you do not exploit it beyond what is needed for proof.
Law enforcement: If a third party initiates legal action, we will clearly communicate your authorized research context and our policy.
Good‑faith conditions: Do not exfiltrate more data than necessary; do not access other users’ data; do not disrupt service; do not retain, share, or publish sensitive data. Promptly delete any data obtained and provide destruction attestation if requested.
Safe harbor does not apply to actions that are illegal, destructive, privacy‑invasive, or exploitative (e.g., ransomware; trafficking in access; continued testing after we ask you to stop). If local laws require advance authorization, request permission at security@hyvery.com.
Allowed (with care):
Non‑destructive PoC against your own data/test accounts
Testing for common classes: XSS, CSRF, IDOR/BOLA, SSRF (non‑destructive), auth/logic flaws, misconfigurations, access control issues, insecure direct object references, path traversal
Rate‑limited scanning that respects 429/backoff
Not allowed:
DoS/DDoS, resource exhaustion, spam or brute‑forcing credentials
Social engineering of Hyvery staff or customers; phishing; vishing
Physical security or tailgating
Production data exfiltration, tampering, or creating backdoors
Privacy violations or retaining sensitive data
Automated scanning that materially impacts service quality
Hyvery does not operate a public bug‑bounty program at this time. With your consent, we may credit you on our Hall of Fame page and provide a thank‑you token at our discretion, subject to applicable laws and export/sanctions restrictions.
Critical: RCE; auth bypass; arbitrary account takeover; significant PII access; high‑impact injection
High: Privilege escalation; stored XSS with admin impact; direct access to sensitive data via IDOR
Medium: Reflected XSS; CSRF with meaningful impact; information disclosure enabling lateral movement
Low: Clickjacking on non‑sensitive pages; best‑practice gaps without direct exploit
We may downgrade issues lacking meaningful, reproducible impact or affecting only out‑of‑support browsers.
You may encrypt sensitive details with our PGP key:
Key owner: Hyvery Security
Email: security@hyvery.com
Fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key ID: 0xDEADBEEF
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Place Hyvery Security PGP public key here]
-----END PGP PUBLIC KEY BLOCK-----
We rotate keys periodically; check our /.well-known/security.txt for the latest fingerprint.
Treat researchers with respect and professionalism
Keep your report confidential and use details only to remediate
Provide status updates at significant milestones
Credit you (with consent) after remediation and coordinate disclosure
If you inadvertently access Personal Data, immediately stop, minimize exposure, and notify us. Do not copy, store, transmit, or disclose the data. Upon request, delete and confirm deletion of any copies.
12) Changes to this Policy
We may update this VDP over time. Material changes will be noted on our trust page and take effect upon posting.
/.well-known/security.txt)Contact: mailto:security@hyvery.com
Encryption: https://hyvery.com/pgp.txt
Policy: https://hyvery.com/vulnerability-disclosure
Acknowledgments: https://hyvery.com/hall-of-fame
Preferred-Languages: en
Canonical: https://hyvery.com/.well-known/security.txt
Hiring: https://hyvery.com/careers
Subject: [Hyvery] Security report received — {short title}
Hi {Name},
Thank you for your report. We’ve logged it as {TICKET-ID} and will begin triage immediately. Our current SLA targets are: acknowledgement 24h, triage 3 business days. We’ll update you by {date}. If you discovered or retained any sensitive data, please delete it and let us know.
Thanks again,
— Hyvery Security (security@hyvery.com)
We may list your name/handle and a brief description of the resolved issue when: (1) the issue is valid and unique; (2) it is remediated; and (3) you followed this policy. We don’t publish details that could help attackers until fixes are widely deployed.