Policies
Vulnerability Disclosure Policy
Effective date: TODO — set on legal approval
AI draft— pending legal & owner review; not legally binding.
1. Introduction
The security of the ShipReady Metrics service ("Service"), operated by Persoon.ai Inc. ("we" or "us"), is a priority. We value the work of the security research community and welcome good-faith reports of vulnerabilities that could affect our customers or their data.
This Vulnerability Disclosure Policy ("Policy") explains what systems are in scope, how to test responsibly, how to submit a report, and what you can expect from us in return. By submitting a report, you agree to the terms of this Policy.
2. Scope
This Policy covers the production ShipReady Metrics application and its supporting infrastructure that we operate, including the web application hosted on Vercel and the application APIs.
| Area | In scope | Notes |
|---|---|---|
| ShipReady Metrics web app | Yes | The primary application and its authenticated APIs. |
| Tenant isolation / RLS | Yes | Reports of cross-tenant data access are especially valued. |
| Third-party platforms | No | Supabase, Vercel, Resend, Anthropic, and GitHub are operated by our subprocessors; report issues to them directly. |
| Customer-owned data sources | No | Systems connected by customers (e.g., their own repositories) are out of scope. |
If you are unsure whether a target is in scope, contact us at security@persooninc.com before testing. When in doubt, treat it as out of scope.
3. Rules of Engagement
To keep research safe for our customers and their data, we ask that you observe the following rules when testing in-scope systems.
- Use only accounts and data you own or are explicitly authorized to use; never access, modify, or retain another tenant’s data.
- Stop testing and report immediately if you encounter personal data or other sensitive information.
- Do not perform denial-of-service, volumetric, or load testing, or any action that degrades the Service for others.
- Do not use social engineering, phishing, or physical attacks against our staff, customers, or facilities.
- Do not exploit a vulnerability beyond the minimum needed to demonstrate it, and do not pivot to other systems.
- Keep the details of any vulnerability confidential until we have confirmed it is resolved (see Coordinated Disclosure).
4. Safe Harbor
If you make a good-faith effort to comply with this Policy during your research, we will consider your testing to be authorized, will not pursue or support legal action against you for that research, and will work with you to understand and resolve the issue quickly.
This safe harbor does not apply to activity that violates the Rules of Engagement, that intentionally accesses or exfiltrates customer data beyond what is necessary to demonstrate a vulnerability, or that breaks applicable law. We cannot authorize testing against third-party platforms, and this Policy does not waive any rights of those third parties. The precise legal terms of this safe harbor are subject to counsel review and may change before this draft is finalized.
5. How to Report
Please send vulnerability reports to security@persooninc.com. To help us validate and resolve the issue quickly, include as much of the following as you can.
- A clear description of the vulnerability and the affected component or URL.
- Step-by-step instructions or a proof of concept to reproduce the issue.
- The potential impact and any prerequisites or special conditions.
- Any relevant logs, requests, or screenshots, with sensitive data redacted.
- How you would like to be credited, if you wish to be acknowledged.
We accept reports in English. If you need to share sensitive details securely, mention this in your initial email and we will arrange a secure channel.
6. Our Commitments
When you submit a report in line with this Policy, we aim to handle it promptly and keep you informed. The target timelines below are goals for this draft, not contractual guarantees, and may be adjusted on legal and owner review.
| Stage | Target | What we do |
|---|---|---|
| Acknowledgement | Within a few business days | Confirm we received your report. |
| Validation | Promptly after triage | Reproduce and assess severity and impact. |
| Status updates | Periodically | Keep you informed as we work toward a fix. |
| Resolution | Based on severity | Remediate and confirm the fix with you where possible. |
Confirmed vulnerabilities are handled through our internal Incident Response Policy where customer data or availability may be affected.
7. Recognition and Rewards
ShipReady Metrics does not currently operate a paid bug bounty program, and submitting a report does not entitle you to any payment. With your permission, we are happy to publicly acknowledge researchers who responsibly report valid vulnerabilities. Any future bounty program would be announced separately and is not promised by this draft.
8. Coordinated Disclosure
We follow a coordinated disclosure approach. We ask that you give us a reasonable opportunity to investigate and remediate before disclosing any details publicly, and that you coordinate the timing and content of any public disclosure with us. We will work with you in good faith to agree on a disclosure timeline appropriate to the severity of the issue.
9. Contact
Security reports and questions about this Policy: security@persooninc.com. Postal contact: Persoon.ai Inc., 525 Randall Ave Ste 100 PMB 228, Cheyenne, WY 82001. Data-protection inquiries may be directed to our info@persooninc.com. This document is an AI-generated draft pending legal and owner review and is not legally binding.