ADALINE VULNERABILITY DISCLOSURE POLICY

Report Vulnerability

At Adaline, we prioritize the security and integrity of our platform and our customers' data. Security is foundational to our AI-powered application platform, and we value the contributions of security researchers and our user community in helping us maintain the highest security standards.

How to Report an Issue

If you've discovered a security vulnerability that is not listed in our out-of-scope vulnerabilities, please submit a detailed report to security@adaline.ai with the following information:

  • A comprehensive summary of the vulnerability and its potential impact
  • Step-by-step reproduction instructions that our security team can follow
  • Details of the environment used (browser version, operating system, etc.)
  • Any proof-of-concept code or screenshots demonstrating the vulnerability
  • Your contact information for follow-up communications

Our security team will acknowledge receipt of your report within 24 hours and begin investigating the issue. We'll provide regular updates on our progress and may contact you for additional information as needed. Once we've resolved the issue, we'll notify affected customers according to our security incident response procedures.

We value your effort in helping us improve our security posture. For valid vulnerabilities with a CVSS score of 4.0 or higher, we offer financial rewards commensurate with the severity and impact of the finding.

Focus Areas

We're particularly interested in vulnerabilities related to:

  • Authentication bypass and privilege escalation
  • Unauthorized access to customer data or AI models
  • Cross-tenant data access or isolation failures
  • Exposure of personally identifiable information (PII) or protected health information (PHI)
  • SQL injection, XSS, CSRF, and remote code execution
  • AI prompt injection or model manipulation vulnerabilities
  • API security flaws

In Scope

  • https://adaline.ai and it's subdomains
  • Adaline platform and UI components
  • Adaline SDK and client libraries
  • Adaline integrations (GitHub, Slack, MS Teams, etc.)

Out-of-Scope

  • Automated vulnerability scanning without manual verification
  • Social engineering attacks, particularly targeting Adaline employees
  • Denial of Service (DoS) attacks of any kind
  • Vulnerabilities requiring physical access to systems
  • Theoretical vulnerabilities without proof of exploitation
  • Man-in-the-middle attacks requiring privileged network position
  • Clickjacking on non-sensitive pages
  • Self-sabotage by workspace administrators or owners
  • Bypassing limitations on free-tier accounts to access premium features
  • Missing security headers, cookie flags, or other best practices with minimal security impact
  • Vulnerabilities in third-party applications not maintained by Adaline
  • Issues in environments that are explicitly labeled as test, beta, or development

Researcher Guidelines

We kindly ask that you:

  • Only test vulnerabilities on your own account or with explicit permission from the account owner
  • Make a good faith effort to avoid privacy violations, data breaches, service disruptions, or degradation of our services
  • Do not access, modify, or delete data that does not belong to you
  • If you gain access to non-public data, limit your access to the minimum required to demonstrate the vulnerability
  • Do not attempt to pivot to other systems, exfiltrate data, or maintain persistent access
  • Maintain confidentiality regarding any vulnerabilities and associated details until we've had adequate time to address them
  • Do not perform actions that could impact the reliability or integrity of our AI models or training data

Disclosure Timeline

  • Acknowledgment: We'll acknowledge receipt of your report within 24 hours
  • Validation: We'll validate the reported issue within 3 business days
  • Regular Updates: We'll provide updates on our progress at least every 7 days
  • Resolution Timeline: We aim to resolve critical issues within 30 days, though complex issues may require additional time
  • Reward Determination: For qualifying vulnerabilities, reward determination will occur after validation
  • Public Disclosure: Coordinated public disclosure may occur after the vulnerability has been fully remediated

Safe Harbor

Any security research activities conducted in accordance with this policy will be considered authorized conduct and Adaline will not initiate legal action against you. If legal action is initiated by a third party against you for activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy.

This safe harbor applies only to security research activities that:

  • Comply with the terms of this policy
  • Are conducted against the systems and services listed as in-scope
  • Do not compromise the privacy or safety of our users, employees, or others
  • Do not violate any applicable laws

If at any time you have concerns about whether your security research complies with this policy, please contact us at security@adaline.ai before proceeding.

Changes to This Policy

Adaline may update this Vulnerability Disclosure Policy from time to time. All changes will be posted on this page with a revised effective date. We encourage security researchers to review this policy periodically.