Skip to main contentTailor AI LogoTailor AI

    Vulnerability Disclosure Policy

    Tailor AI takes the security of our systems, customers, and data seriously. We welcome reports from security researchers and appreciate responsible disclosure. This policy describes how to report vulnerabilities and what you can expect from us in return.

    Scope

    In scope

    • tailorhq.ai and its subdomains
    • api.tailorhq.ai and other Tailor AI production APIs
    • The Tailor AI web application and authenticated product surfaces
    • Official Tailor AI client applications, where applicable

    Out of scope

    • Third-party services and vendors (please report to them directly)
    • Denial-of-service, volumetric, or stress testing
    • Social engineering of Tailor AI staff, customers, or vendors
    • Physical attacks against Tailor AI property or personnel
    • Findings without demonstrated impact, including but not limited to: missing security headers, SPF/DKIM/DMARC configuration, TLS cipher preferences, clickjacking on pages without sensitive actions, self-XSS, and automated scanner output lacking a working proof of concept
    • Reports requiring implausible user interaction or pre-conditions

    Safe Harbor

    When conducting research consistent with this policy, we consider your activity:

    • Authorized with respect to relevant anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations
    • Authorized with respect to relevant anti-circumvention laws, and we waive those restrictions for your good-faith research
    • Exempt from restrictions in our Terms of Service that would interfere with conducting security research, for the limited purpose of this policy

    If a third party initiates legal action against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized.

    Rules of Engagement

    • Test only against accounts you own or have explicit permission to test
    • Do not access, modify, or destroy data belonging to other users
    • Do not degrade availability (no DoS, no credential stuffing at scale)
    • Stop and report immediately if you encounter personal data, credentials, or proprietary information. Do not download, retain, or share it
    • Do not publicly disclose a vulnerability before we have had a reasonable opportunity to remediate

    How to Report

    Email security@tailorhq.ai with:

    • A clear description of the vulnerability
    • Reproduction steps, including URLs, requests, payloads, and screenshots or video where helpful
    • The impact you believe the issue has
    • Your name or handle and preferred contact method

    What You Can Expect From Us

    • Acknowledgment of your report within 3 business days
    • Triage and initial severity assessment within 10 business days
    • Status updates at least every 14 days until the issue is resolved
    • Coordinated timing on any public disclosure

    Coordinated Disclosure

    We ask researchers to allow a reasonable remediation window (typically up to 90 days from initial report) before any public disclosure. We are open to discussing shorter or longer windows based on severity and complexity, and we will work with you in good faith.

    Recognition

    With your permission, we are glad to acknowledge researchers who submit valid reports on a public acknowledgments page. We can also provide a written reference on request for reports that meaningfully improved our security posture.

    Monetary Rewards

    Tailor AI does not currently operate a paid bug bounty program and does not offer monetary rewards, including one-time, discretionary, or goodwill payments, for vulnerability reports. This policy applies uniformly to all researchers. We may revisit this as our program matures.

    Contact

    security@tailorhq.ai

    Last updated: April 23, 2026