HiringCoachAI

Responsible disclosure

Last reviewed 2026-04-24

Our pledge

We welcome reports of security vulnerabilities from researchers acting in good faith. We will:

  • Not pursue legal action against you for activities that follow this policy.
  • Acknowledge receipt within 2 business days.
  • Triage within 5 business days.
  • Keep you updated on remediation progress.
  • Publicly credit you in our changelog, with your permission.

How to report

Email [email protected]. For sensitive reports we will share a PGP key on request. We do not operate a paid bug bounty at this time, but we offer public acknowledgment and thanks.

Scope

In scope

  • hiringcoach.ai and all subdomains
  • The HiringCoach Chrome extension
  • Our public API endpoints

Out of scope

  • Denial-of-service (DoS / DDoS) attacks
  • Social engineering of our staff, customers, or vendors
  • Physical attacks
  • Attacks requiring MITM or compromised devices
  • Findings from automated scanners without a demonstrable vulnerability
  • Best-practice reports that are not exploitable (e.g., missing security headers on a static asset)
  • Third-party services we use (please report to the vendor directly)
  • Self-XSS or issues that require a non-standard browser configuration
  • Rate-limit bypass without demonstrable impact
  • Clickjacking on pages without sensitive actions

Guidelines

  • Act in good faith — don't access data beyond what's needed to prove the issue.
  • Don't modify, destroy, or exfiltrate data that isn't yours.
  • Don't publicly disclose the issue before we've had a reasonable chance to fix it — we aim for 90 days, longer by mutual agreement.
  • Give us enough to reproduce: URL, HTTP request, screenshots, expected vs. actual.

Safe harbor

We consider security research conducted under this policy to be authorized, lawful, and helpful to our security posture. If legal action is initiated by a third party against you for activities that complied with this policy, we will make clear that your actions were authorized.

Acknowledgments

Researchers who have helped us improve security will be listed here with their consent.

security.txt

Machine-readable contact information is published at /.well-known/security.txt.

showUpgradeModal: false, modalType: migration, planName: