Vulnerability Disclosure Policy

Purpose

The security of our customers' data is fundamental to how we operate. No system is perfect, and the security research community plays an important role in helping us keep Theona safe. This policy describes how to report a suspected vulnerability, what is in and out of scope, and the commitments we make to researchers who work with us in good faith.

We will investigate every legitimate report, work to remediate confirmed issues within the timelines below, and treat researchers who follow this policy as trusted partners rather than adversaries.

Good-faith research

We consider research conducted in line with this policy to be authorized, lawful, and helpful. Acting in good faith means making an honest effort to avoid harm to our users, our data, and the availability of our services, and giving us a reasonable opportunity to respond before sharing your findings with anyone else.

How to report

Send your report to[email protected]. To help us triage quickly, please include:

• A clear description of the issue and the system or URL affected.
• Step-by-step instructions to reproduce it, including any proof-of-concept.
• The potential impact as you understand it.
• Your name or handle if you would like to be acknowledged (optional).

A machine-readable version of our security contact is published at/.well-known/security.txtin line with RFC 9116.

Scope

In scope

• The Theona web application at app.theona.ai.
• The Theona public API served from the theona.ai domain.
• Our marketing website at theona.ai.

Out of scope

The following are not covered by this policy. Reports limited to these will generally be closed without action:

• Third-party services and sub-processors we rely on, including any vendor-hosted domains. These should be reported to the relevant provider. Our current sub-processors are listed attheona.ai/sub-processors.
• Denial-of-service, volumetric, or other attacks intended to degrade or disrupt our services.
• Social engineering of our staff, customers, or vendors, including phishing.
• Physical attacks against our staff, offices, or infrastructure.
• Output of automated scanners without a demonstrated, exploitable impact.
• Reports of missing best practices with no proven security impact (for example, missing security headers, TLS configuration suggestions, or email policy records) absent a working exploit.
• Spam, content injection requiring an already-compromised account, or self-inflicted issues.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorized, we will not pursue or support legal action against you, and we will not ask you to be subject to action under our Terms of Service provisions that would otherwise restrict security testing.

This authorization is limited to the systems listed as in scope and to activity that follows the rules of engagement below. It does not give you permission to access, modify, or destroy data that is not your own, and it does not waive any rights of third parties. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.

Rules of engagement

When testing, you must:

• Use only accounts you own or test accounts you are explicitly authorized to use.
• Not access, store, modify, or exfiltrate data that does not belong to you.
• Stop immediately and report to us if you encounter another person's data, and not retain, copy, or disclose it.
• Avoid privacy violations, service disruption, and degradation of the user experience.
• Limit testing to the minimum needed to demonstrate the issue, and never attempt to pivot to other systems or escalate beyond proof of the vulnerability.
• Keep the details of any vulnerability confidential until we have remediated it and agreed on disclosure.

Coordinated disclosure and timelines

We ask that you give us a reasonable opportunity to investigate and remediate a reported issue before disclosing it publicly or to any third party, and that you coordinate the timing of any public disclosure with us. Reports are handled through our established security incident response process.

We will acknowledge receipt of your report within 24 hours on US business days, confirm whether we can reproduce the issue, and keep you informed as we work toward a fix. Confirmed vulnerabilities are tracked to remediation within the targets we apply across our vulnerability-management program, based on severity:

Some issues take longer to resolve safely. If remediation will exceed these targets, we will let you know and agree on a disclosure timeline with you.

Recognition, not rewards

This is a vulnerability disclosure program, not a bug bounty. We do not offer monetary rewards for reports. With your permission, we are glad to acknowledge your contribution once an issue has been resolved.