Scope
This policy covers the Valty production web application and its public-facing surfaces, including valty.ai, app.valty.ai, demo.valty.ai, and the APIs that serve them. It also covers issues affecting the confidentiality, integrity, or availability of customer data that Valty stores. Valty stores normalized proof objects on a tenant-isolated basis; source-of-truth security systems remain with the customer and are not in scope. Vulnerabilities in our third-party subprocessors (Vercel for hosting and CDN, Neon for the Postgres database, Upstash for rate-limiting and queueing, Attio for CRM and lead capture, and Resend for transactional email) should be reported to those vendors directly, though we appreciate a heads-up so we can coordinate.
How to Report
Send vulnerability reports to security@valty.ai. A PGP key is available on request to the same address for researchers who wish to encrypt their submission, and we encourage encryption for any report containing sensitive proof-of-concept detail. Please include a clear description of the issue, the affected URL or endpoint, reproduction steps, any proof-of-concept code or screenshots, and an assessment of the potential impact. Reporting in English helps us triage quickly. Please do not disclose the issue publicly until we have had a reasonable opportunity to investigate and remediate, and we will work with you on a coordinated disclosure timeline.
Safe Harbor
Valty will not pursue or support legal action against researchers who act in good faith and in accordance with this policy. We consider security research conducted under these terms to be authorized, and we will not treat it as a violation of our terms of service. If a third party brings action against you for activity that complied with this policy, we will make it known that your actions were authorized. This safe harbor applies only to good-faith research: you must avoid privacy violations, data destruction, service degradation, and any access beyond the minimum required to demonstrate a vulnerability.
Rules of Engagement
When testing, interact only with accounts and data you own or have explicit permission to use, and use the demo environment where possible rather than production tenant data. Do not run automated scanning that degrades service, do not attempt denial-of-service or volumetric attacks, and do not perform social engineering, phishing, or physical attacks against Valty staff, customers, or infrastructure. If you encounter customer data, financial risk outputs, or other sensitive information, stop, do not download or retain it, and tell us in your report. Delete any test data and proof-of-concept material once your report is submitted.
What You Can Expect
We aim to acknowledge new reports within three business days of receipt. After acknowledgment, we target an initial triage and severity assessment within ten business days, and we will keep you informed of remediation progress at reasonable intervals until the issue is resolved. These are good-faith targets for an early-stage team, not contractual guarantees, and complex issues may take longer. With your permission, we are glad to credit you publicly once a fix has shipped, and we appreciate researchers who give us time to remediate before any disclosure.
Out of Scope
The following are generally not eligible under this policy: reports from automated scanners without a demonstrated, exploitable impact; missing security headers, cookie flags, or SPF/DKIM/DMARC findings with no concrete exploit; clickjacking on pages with no sensitive state-changing actions; rate-limiting concerns absent a demonstrated abuse path; self-XSS that cannot be used against another user; theoretical issues without a working proof of concept; vulnerabilities in third-party services or libraries that we do not control; and social engineering, physical access, or denial-of-service testing. Reports about our security roadmap status, such as SOC 2, are also out of scope; SOC 2 is on our roadmap and is not represented as complete.
No Bounty at This Stage
Valty is an early-stage, design-partner company, and we do not currently operate a paid bug bounty program. We cannot offer monetary rewards for reports at this time, and we want to be transparent about that rather than imply a reward you will not receive. What we can offer is a prompt, respectful response, the safe-harbor protections described above, and public acknowledgment with your consent. We genuinely value the contributions of the research community and will revisit a formal bounty program as the company matures.
Policy Updates
We may revise this policy as our platform and security program evolve, and the current version always governs reports submitted while it is in effect. Questions about scope, this policy, or a specific test you are planning can be sent to security@valty.ai before you begin, and we are happy to clarify. We appreciate the time and care that researchers invest in helping us protect our customers and their data.