HiringCoachAI

Responsible disclosure

Last reviewed 2026-05-18

Our pledge

We welcome responsible-disclosure reports. If you find a vulnerability in HiringCoachAI, please let us know through the channels below. We commit to:

  • Not pursue legal action against researchers who act in good faith under this policy.
  • Acknowledge receipt: target within 2 business days.
  • Triage: target within 5 business days.
  • Keep you updated on remediation progress.
  • Publicly credit you in our changelog, if you'd like.

Contact

  • Email: [email protected].
  • No bug bounty at this time; we are working on establishing one. In the interim we can offer public acknowledgment and thanks.

Scope

In scope

  • hiringcoach.ai and www.hiringcoach.ai
  • Our public API endpoints

Out of scope

  • Denial-of-service (DoS / DDoS) attacks
  • Social engineering of HiringCoachAI staff, customers, or vendors
  • Physical attacks
  • Attacks requiring MITM or compromised devices
  • Findings from automated scanners without a demonstrable vulnerability
  • Best-practice reports that are not exploitable (e.g., missing security headers on a static asset)
  • Third-party services we use (report those to the vendor directly; we're happy to help if you get stuck)
  • Self-XSS, or issues that require a non-standard browser configuration
  • Rate-limit bypass without demonstrable impact
  • Clickjacking on pages without sensitive actions

Please

  • Act in good faith. Don't access data beyond what's needed to prove the issue.
  • Don't modify, destroy, or exfiltrate data that isn't yours.
  • Don't publicly disclose the issue before we've had a reasonable chance to fix it. We aim for 90 days; longer by mutual agreement.
  • Give us enough detail to reproduce: URL, HTTP request, screenshots, expected vs. actual.

What we'll do

1. Acknowledge your report — target within 2 business days (see acknowledgment-target qualifier above). 2. Triage and assign severity using CVSS v3.1. 3. Keep you updated (typically weekly until resolved). 4. Remediation targets:

  • Critical: 24 hours
  • High: 7 days
  • Medium: 30 days
  • Low: best effort

5. Credit you (if you like) in the release notes.

Where a remediation target cannot be met — for example, because a vendor-side fix is not yet available — we apply compensating controls and keep the reporter updated.

Safe harbor

We consider security research conducted under this policy to be:

  • Authorized access under computer-misuse laws;
  • Exempt from anti-circumvention provisions where they would otherwise apply;
  • Lawful and helpful to our security posture.

If legal action is initiated by a third party against you for activities that complied with this policy, we'll make it clear that your actions were authorized.

.well-known/security.txt

Contact: mailto:[email protected]
Expires: 2027-04-24T00:00:00.000Z
Preferred-Languages: en
Canonical: https://hiringcoach.ai/.well-known/security.txt
Policy: https://hiringcoach.ai/responsible-disclosure
Acknowledgments: https://hiringcoach.ai/responsible-disclosure#acknowledgments

Acknowledgments

Researchers who have helped us improve security will be listed here (with their consent) once reports begin coming in.

Related

← Back to the trust center

showUpgradeModal: false, modalType: migration, planName: