VoiceX: Incredibly human-like voice AI agents that can handle complex conversations autonomously. Experience VoiceX

Experience VoiceX
Language
English (US)

English (US)

 English (UK)

English (UK)

 Bahasa (ID)

Bahasa (ID)

 English (PH)

English (PH)

 العربية (AR)

العربية (AR)

Platform

Arrow Arrow

Analytics

Analyze

Human + AI

Agent Assist

Solutions

Arrow Arrow

By Use Cases

Customer Spotlight

By Industry

Resources

Arrow Arrow

Discover

Guides

Pricing

Demo Hub
Book a demo
English
English (US)

English (US)

 English (UK)

English (UK)

 Bahasa (ID)

Bahasa (ID)

 English (PH)

English (PH)

 العربية (AR)

العربية (AR)

Vulnerability Disclosure Program (VDP) Policy

At Yellow.ai, the security of our systems and data is of utmost importance. We are committed to protecting our customers and their data. This Vulnerability Disclosure Program (VDP) policy outlines our guidelines for security researchers who discover and report potential vulnerabilities in our systems. We appreciate the efforts of security researchers in helping us maintain a secure environment.

Scope

This VDP policy applies to the following:

  • In-Scope: cloud.yellow.ai
  • Out-of-Scope: All other subdomains and services not explicitly mentioned as in-scope.

While other subdomains are generally out of scope, we encourage researchers to report critical findings in these areas. Such reports will be reviewed on a case-by-case basis.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please report it to us as soon as possible through the embedded HackerOne submission form below. If you encounter any issues, please contact [email protected]. Your report should include:

  • A clear and concise description of the vulnerability.
  • Steps to reproduce the vulnerability.
  • The impact of the vulnerability.
  • Any proof-of-concept code or screenshots that demonstrate the vulnerability.

Our Commitment

Upon receiving a vulnerability report, we commit to:

  • Acknowledging receipt of your report within 3-5 business days.
  • Investigate the reported vulnerability promptly and thoroughly.
  • Communicating our progress and findings with you via the platform.
  • Not pursuing legal action against researchers who adhere to this policy.
  • Kindly note that this is a VDP program and we do not offer monetary rewards for vulnerability disclosures.

General Out-of-Scope Findings

The following types of findings are generally considered out of scope for this VDP:

  • Denial of Service (DoS) attacks.
  • Vulnerabilities found in third-party applications or services not directly controlled by Yellow.ai.
  • Missing best practices in Content Security Policy.
  • Missing best practices in SSL/TLS configuration.
  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
  • Missing HttpOnly or Secure flags on cookies.
  • Information disclosure of public information.
  • Self-XSS (Cross-Site Scripting that only affects the user themselves).
  • Clickjacking on pages with no sensitive actions.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Rate limiting or brute force issues on non-authentication endpoints.
  • Social engineering (e.g., phishing, vishing, smishing).
  • Software version disclosure / Banner identification issues/headers, or public files (e.g., robots.txt).

Responsible Disclosure Guidelines

We ask that security researchers adhere to the following guidelines:

  • Do not disclose the vulnerability to any third party before we have had a reasonable opportunity to address it.
  • Do not intentionally access or modify data that does not belong to you.
  • Do not disrupt our services or impact the experience of other users.
  • Do not use automated scanning tools that may generate a high volume of traffic.

Changes to this Policy

Yellow.ai reserves the right to modify or update this VDP policy at any time. We encourage you to review this policy periodically for any changes.

Contact

For any questions regarding this VDP policy, please contact us at [email protected].