Recruit your AI BDR Agent
Learn more

Vulnerability Reward Program

Relevance AI maintains a Vulnerability Reward program for its web properties, and welcomes external contributions that help us keep our users safe and their data secure. We appreciate the efforts of the information security community and their commitment to responsible disclosure of vulnerabilities.

Responsibly Reporting Vulnerabilities

Vulnerabilities may be responsibly disclosed via email to security[at]relevanceai.com. They will be evaluated by the security team, with a response SLA of two working days for acknowledgement of submission, and five working days for assessment of the issue.

Qualification Criteria

Vulnerabilities must meet the following criteria to be in scope for a reward:

  • Exist within a web service owned by Relevance AI that handles sensitive user data, e.g. properties hosted on https:*.relevanceai.com.
  • Substantially affect the confidentiality or integrity of user data.
  • Allow privilege escalation, e.g. permit an unaffiliated attacker to gain access to information or resources in an arbitrary organization.

Reward Eligibility

Our reward amounts are intended to be consistent with other equivalent programs. The final amount awarded depends on many factors, including:

  • Quality of report (e.g. inclusion of a clear PoC (ideally with video or screenshots), demonstration of impact/severity, provision of any necessary details to reproduce.)
  • Severity of issue (i.e. the scale of the compromise to confidentiality or integrity of user data in the context of Relevance AI’s business goals and customer commitments)
  • Impact of issue (i.e. the scale of the affected users or aspects of Relevance AI’s business affected by the issue.)

Higher bounties will be paid for particularly severe vulnerabilities, and lower bounties will be paid for vulnerabilities with limited scope or presented with a subpar report. We may also decide that a single report constitutes multiple issues, or multiple reports are sufficiently similar that they warrant only a single reward.

The first comprehensive, responsibly disclosed report for any particular issue will be eligible for a paid reward, and all subsequent reports for the same issue will not be eligible. The email timestamp at security[at]relevanceai.com will be the sole discriminator for determining the first received report. We may decide at our discretion to reward a later report if the first report is of insufficient quality to enable effective remediation. Reports which break the guidelines of responsible reporting will not be eligible for any reward.

Excluded Issues

The following types of issues are specifically excluded from receiving rewards:

  • Access to or disclosure of known public resources (e.g. robots.txt or .well-known) or non-confidential information.
  • Denial of service attacks, including but not limited to email flooding, rate limiting, password or login brute force, etc.
  • Any vulnerabilities found using automated scanners.
  • Any vulnerabilities related to clickjacking or exploitable only through clickjacking.
  • Attacks that require local physical access to a user account, e.g. a priori exfiltration of tokens, injection of headers/script, or modification of a user’s browsing environment.
  • Content spoofing.
  • Missing HTTP security headers.
  • Network-based attacks outside our control, e.g. HTTP/DNS cache poisoning.
  • Missing or incorrect email DNS records (SPF, DKIM, DMARC).

Threat Model

Our threat model primarily focuses on the risk of third party data exfiltration, and our reward decisions reflect this. In particular, we regard organisations as a trust boundary, and in general, privilege escalation within an organisation scope is regarded as a functional bug, rather than a security issue. For example, vulnerabilities where a user within an organisation can gain elevated privileges within that organisation will generally not be considered for a reward unless that vulnerability permits elevated privileges without prior membership of the organisation.

Investigating and Reporting Issues

Never attempt to access anyone else's data, and do not engage in any activity that would affect any user or Relevance AI. Please research vulnerabilities in good faith; we will treat all such submissions in the same good faith. With reasonable advance notice, we aim to respond and fix bugs within a reasonable timeframe. Reward amounts will generally be confirmed and paid following the remediation of an issue in our production environments.

If you come across user data during the course of discovering vulnerabilities, please report it to us immediately, and do not store, copy, transfer, disclose, or otherwise retain this information.

Non-security issues, or queries about Relevance AI functionality, accounts, subscriptions, etc. should be directed to our customer support team via [email protected].

Legal Points

Relevance AI is not responsible for any tax or other legal implications stemming from bounties based on citizenship and country of residency. International sanctions or other local laws may also affect the eligibility of any individual to receive a reward under this program.

Any decision to pay or not pay a reward is entirely at Relevance AI’s discretion.

To contact our security team, please email security[at]relevanceai.com.