Advottic
Sign in

Security · disclosure

Reporting a vulnerability to Advottic

We treat security reports from researchers as a gift. This page is our public commitment to handle them well: safe harbor for good-faith research, fast triage, named credit when you want it, and bounties on a tier ladder for qualifying findings.

How to report

Email security@advottic.com with:

  • A description of the issue and where you found it
  • Reproduction steps clear enough that we can confirm without asking follow-up questions
  • The impact you believe a malicious actor could achieve
  • Any temporary mitigation we can apply while we ship a fix

For higher-severity issues you can encrypt your report with our PGP key (fingerprint published on /.well-known/security.txt).

Our commitments

  • Safe harbor. We will not pursue legal action against researchers who report findings to us in good faith, do not access more data than necessary to demonstrate the issue, do not exfiltrate data, do not perform denial-of-service attacks, and do not publicly disclose before we have shipped a fix.
  • Acknowledgement within 24 hours on business days, faster for critical issues.
  • Triage decision within 72 hours. If we decide the report is in scope and exploitable, we tell you the severity and a target patch window.
  • Public credit when you want it. We maintain a researcher acknowledgements page. Anonymous credit is also fine.
  • Bounty tiers. Critical: $1,500 - $5,000. High: $500 - $1,500. Medium: $100 - $500. Low / informational: swag and credit. Scope, severity, and quality of the report all factor in. Final decisions sit with our security team.

In scope

  • advottic.com and any subdomain (hq, enterprise, *.advottic.com)
  • The Advottic Counsel firm-mode application
  • The Advottic HQ admin console
  • The Advottic public API and OAuth endpoints
  • The native iOS / Android apps (when published)

Out of scope

  • Issues on third-party services we depend on (Vercel, Supabase, Stripe, Resend, Anthropic, Microsoft, Zoom). Report those to the vendor; we will help mediate if needed.
  • Denial-of-service attacks. Do not test by trying to exhaust our infrastructure.
  • Social-engineering of Advottic staff or customers (this includes phishing tests).
  • Self-XSS, CSRF on actions that have no security impact, missing best-practice headers without a demonstrated exploit, and theoretical issues without a working PoC.
  • Issues in test or staging environments unless they reveal a real production vulnerability.

What happens next

  1. You email security@advottic.com with the report.
  2. We acknowledge, triage, and assign a severity. We may ask for clarifying information.
  3. We ship a fix on a timeline scaled to severity (critical: 7 days, high: 30 days, medium: 60 days, low: best-effort).
  4. We confirm with you that the fix addresses the report.
  5. We agree on a public-disclosure window (default 90 days from triage, sooner for already-public CVEs in dependencies).
  6. We pay the bounty and credit you on the acknowledgements page.

This page is informational and does not modify the Advottic Terms of Service. If you have a contractual confidentiality obligation with Advottic (eg. you are an enterprise customer with a signed MSA), the contract controls.