Reporting a Vulnerability
Please report any potential vulnerabilities to our security team via email:security@avra.ai
To help us investigate efficiently, please include the following in your report:
- A clear description of the vulnerability, including its potential impact.
- Detailed steps to reproduce the issue, including any URLs, request/response captures, or proof-of-concept code.
- Your contact information and, if you wish, a link to a public profile for recognition.
What to Expect (Our Commitment)
When you report a vulnerability in accordance with this policy, we promise to:Triage
Acknowledge receipt of your report within 3 business days and assign it
a tracking identifier.
Investigation
Validate and investigate your report. We may contact you for additional
information if needed.
Rules of Engagement
To ensure the process is safe and productive for everyone, we ask that you adhere to the following guidelines:Please do:
- Report any vulnerability you’ve discovered promptly and privately.
- Avoid privacy violations, destruction of data, and interruption or degradation of our service during your testing.
- Make a good-faith effort to avoid accessing or modifying data that does not belong to you. If you encounter any non-public user or company data, stop your test and report it immediately.
Please do not:
- Perform any actions that could negatively affect Avra’s users, such as Denial of Service (DoS), spamming, or social engineering (phishing).
- Access or attempt to access data that does not belong to you beyond what is necessary to demonstrate the vulnerability.
- Disclose any vulnerabilities to the public or third parties without our express written consent.
- Attempt physical attacks against Avra employees, offices, or data centers.
Safe Harbor
Avra is committed to protecting security researchers. If you comply with this policy during your security research, we will consider your research to be authorized. We will not initiate legal action or a law enforcement investigation against you in response to your report. We will work with you to understand and resolve the issue quickly, and we will not engage in legal action for accidental, good-faith violations of this policy.Scope
This policy applies to all systems and services owned and operated by Avra.In-Scope Assets:
*.avra.ai(including subdomains)app.avra.aiapi.avra.ai
Out-of-Scope Vulnerabilities:
While we encourage any reports that could have a security impact, the following issues are generally considered out of scope for our disclosure program (unless they can be shown to lead to a higher-impact vulnerability):- Missing security headers (e.g.,
Content-Security-Policy,Strict-Transport-Security) without a demonstrated, practical exploit. - Descriptive error messages (e.g., stack traces) without the exposure of sensitive information.
- Reports from automated scanners without manual validation.
- Self-XSS (Cross-Site Scripting) that cannot be used to attack other users.
- Issues related to software or protocols not under Avra’s direct control (e.g., vulnerabilities in a third-party service we use).
- Rate limiting or brute-force attack issues on non-authentication endpoints.