Violet
Start free scan
HomeProductPricingExamplesResourcesAboutSign in
Security

Responsible Disclosure

We take security seriously. If you discover a vulnerability in Violet, please let us know before public disclosure so we can fix it and protect our customers.

90-day coordinated disclosureSafe harborGood-faith testing welcome

Contact

Report vulnerabilities by email to [email protected].

Please include a clear description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence (screenshots, HTTP traces, PoC code). Reports without reproduction steps may be deprioritized.

We support encrypted communications. PGP fingerprint: DDAC 2192 CB33 A778 845F 7F78 9CA2 FE4F B573 34BD — full public key available at [email protected].

Our Commitment

  • Acknowledge your report within 5 business days
  • Provide an initial assessment of severity within 10 business days
  • Keep you updated on remediation progress at least every 30 days
  • Work toward a fix within 90 days for critical and high-severity issues
  • Credit researchers who report qualifying vulnerabilities (opt-in, see Hall of Fame)

We follow a 90-day coordinated disclosure window. After 90 days from your report (or sooner if a fix is shipped), you are free to publish your findings. We may request a short extension if active remediation is in progress.

Scope

In scope:

  • tryviolet.ai and all subdomains (app.tryviolet.ai, api.tryviolet.ai, etc.)
  • Violet web application and authenticated dashboard
  • Scan submission and report endpoints
  • Authentication flows (sign-in, OAuth, password reset, MFA)
  • Authorization and access-control boundaries between organizations

Out of scope:

  • Social engineering of Violet team members or customers
  • Physical attacks against infrastructure
  • Denial-of-service or resource exhaustion attacks
  • Volumetric or rate-limit bypass testing
  • Automated scanning of third-party services integrated with Violet
  • Vulnerabilities in third-party dependencies without a working exploit in the Violet context
  • Self-XSS or issues requiring unusual browser configurations

Safe Harbor

Violet Security will not pursue civil or criminal action against researchers who: discover and report security vulnerabilities in good faith; do not access, exfiltrate, or modify data beyond what is necessary to demonstrate the vulnerability; do not perform testing against other users’ accounts or data without their explicit consent; coordinate disclosure with us before publishing.

If you comply with this policy, Violet Security considers your research authorized under the Computer Fraud and Abuse Act and analogous laws. We will make reasonable efforts to acknowledge authorized research should a legal question arise.

Hall of Fame

We gratefully acknowledge researchers who have responsibly disclosed security issues to us. Researchers are listed with their permission.

No vulnerabilities have been reported yet — be the first.