## Reporting Guidelines
1. Email **security@sectorvoice.ai** with a detailed description, proof-of-concept, severity assessment, and affected environments. Encrypt using our PGP key (available in the [Trust Center](/trust-center#security)) if sharing sensitive information.
2. Make a good-faith effort to avoid privacy violations, data destruction, or service disruption. Only access systems to the extent necessary to demonstrate the vulnerability.
3. Do not publicly disclose the issue until we have had a reasonable opportunity to validate and remediate it (we target initial remediation within 30 days and will coordinate timelines with you).
4. Comply with applicable laws. If you discover customer or personal data, cease testing immediately and report your findings. ## Our Commitments
- Acknowledge receipt of your report within **24 hours** and provide a triage contact.
- Share status updates at least every seven (7) days until resolution.
- Work collaboratively on remediation timelines and credit you (with permission) in our Security Hall of Fame.
- Refrain from legal action against researchers acting in good faith and following this policy. ## Scope
- app.sectorvoice.ai web application and authentication flows
- SectorVoice mobile applications (iOS and Android)
- Public APIs and webhook endpoints documented in `/product/delivery-and-integrations`
- Infrastructure components under SectorVoice control (cloud resources, CI/CD pipeline) Out of scope: third-party platforms, social media pages, advice on configuration without exploitability, denial-of-service attacks, phishing, or physical intrusion. ## Recognition and Rewards
We currently offer public acknowledgement and optional swag for validated, high-impact findings. A structured bounty programme is planned for 2026; researchers who participate now will receive priority consideration. ## Contact
- **Email**: security@sectorvoice.ai
- **Emergency (24/7)**: Include "URGENT" in the subject line for issues posing imminent risk.
