SimplAI Responsible Disclosure Program

Introduction

At SimplAI, we take the security and reliability of our products seriously. We are dedicated to protecting user data and maintaining trust by adhering to modern security best practices. While we actively monitor and test our platforms, we appreciate the contribution of security researchers who help us identify potential vulnerabilities. Our goal is to maintain a secure environment, and we invite ethical disclosures that support this mission.

Responsible Disclosure Guidelines

To ensure your submission is eligible for recognition, please adhere to the following guidelines:

1. Report to SimplAI only

Disclose findings only to SimplAI. Do not share details with any third party or public platform until SimplAI confirms remediation and approves disclosure.

2. Provide a complete report

Your report must include reproducible steps, technical analysis, proof of concept (such as screenshots, videos, or scripts), and a clear explanation of the security impact.

3. Submit promptly and uniquely

The first valid and actionable report of a vulnerability is the only one considered. Duplicate reports will be deemed ineligible.

4. Stay in scope

Avoid unauthorized access, service disruption, privacy violations, or any prohibited activity listed in the guidelines above. Stay within the boundaries of the defined scope of testing.

5. Cease testing on sensitive discovery

If you encounter personally identifiable information (PII) or unauthorized data, stop immediately and report your findings. Do not exploit the vulnerability beyond confirming its existence.

6. Respect data and systems

Do not attempt to exfiltrate, manipulate, establish shell access, maintain persistence, or laterally move within SimplAI environments. Do not compromise, extract, or manipulate data in any way.

7. Honor confidentiality

Keep the report private until SimplAI authorizes public disclosure. Do not share the details with anyone until SimplAI provides approval for public disclosure.

8. Accept SimplAI’s decisions

SimplAI retains full discretion in determining the eligibility, severity, impact, and response to a reported vulnerability. All decisions made by SimplAI’s security team regarding the validity, severity, and impact of a reported vulnerability shall be deemed final and are not subject to appeal.

9. Exclusive authority

SimplAI retains exclusive authority to assess the eligibility of submissions and determine the severity level and any associated recognition or reward.

10. Agree to the policy

By submitting a vulnerability, you agree to all terms outlined in this policy.

Prohibited Activities

To ensure your submission is eligible for recognition, please follow these rules

No disruptive attacks Refrain from DoS, DDoS, brute‑force, spam, or social‑engineering attacks on SimplAI’s people, infrastructure, products, or customers.

No malware uploads Do not plant web shells, viruses, or any other malicious code on any SimplAI property.

No unauthorized data access Do not access, download, or exfiltrate PII or other confidential SimplAI data.

No unapproved accounts Test only with accounts you own or have explicit permission to use.

No exploitation beyond confirmation The moment you confirm a vulnerability exists, stop and report it; do not pivot, escalate, or persist.

In Scope

We welcome reports on the following (or similarly impactful) issues:

Injection attacks (SQL, command, LDAP, SSTI, XML, etc.)

Cross‑site scripting (reflected, stored, DOM)

Broken access control (privilege escalation, IDOR)

XML external entity (XXE) attacks

Sensitive‑data exposure (PII, customer or confidential business data)

Insecure deserialization

SSRF or CSRF on sensitive actions

File‑path issues (LFI, RFI, directory traversal)

HTTP request smuggling

Web‑cache attacks (poisoning, deception)

Arbitrary or malicious file execution

Directory listings that reveal sensitive files

Any other flaw that could compromise or leak SimplAI user or customer PII

The following domains and systems are included in this program:

simplai.ai

simplai.com

simplai.co

api.simplai.ai

app.simplai.ai

dashboard.simplai.ai

All official subdomains under *.simplai.ai

Out of Scope

Domains and systems not listed above

Third-party platforms and integrations

Vendor and logistics systems not owned by SimplAI

Marketing microsites or sandbox/staging environments

Automated tools generating bulk findings without context

Automated tools generating bulk traffic

Category	Category Examples (non‑exhaustive)
Informational disclosures	Software banners, stack traces, generic server errors
Legacy‑browser issues	Bugs affecting only obsolete browsers
Service‑abuse findings	Rate‑limiting gaps, generic brute‑force or DoS weaknesses
Defense‑in‑depth gaps	Missing security headers, cookie attributes, or restrictive HTTP methods
DNS hygiene	Missing or misconfigured CAA, SPF, DMARC, DKIM, MTA‑STS records
UI quirks	Clickjacking/tab‑nabbing on non‑sensitive pages
Low‑impact CSRF	CSRF on unauthenticated or non‑sensitive actions
Minor client‑side issues	Prototype pollution, clear‑text password submission, private‑IP disclosure, unencrypted non‑sensitive traffic
Host‑header injection	Unless it demonstrably leads to a security impact

How to Report

Please send reports to [email protected] with the following:

Detailed vulnerability description and affected endpoint/location

Steps to reproduce the issue with POC code, screenshots, or videos

Any associated CVEs or references

Contact details (email/phone) for follow-up

Note: Reports consisting only of crash dumps or automated scan results without context may not be processed.

Recognition & Acknowledgment

At present, SimplAI does not offer cash rewards. However, we proudly acknowledge meaningful security contributions with:

Public credit in our Hall of Fame (with your consent)

Priority follow-ups for future engagements

Hall of Fame Eligibility

Your report may be featured in our Hall of Fame if:

You are the first to submit a valid vulnerability

The issue has a high or critical security impact

The finding is within scope and follows all program rules

Hall of Fame - Thank You for Making a Difference

Sumit Sahoo

Disclaimer: SimplAI reserves the right to modify this policy or scope at any time without prior notice. Unauthorized testing or actions outside the scope may result in legal consequences.