This policy covers security research on assets we own and operate. In scope: acedly.ai (this marketing site), app.acedly.ai (the web application), the AcedlyAI browser extension, and the AcedlyAI native desktop clients for macOS and Windows.

• In scope: authentication and session handling, authorization and access control, server-side request forgery, injection vulnerabilities, sensitive-data exposure, business-logic flaws, and OS-level capture-exclusion bypass on supported platforms.
• Out of scope: third-party services we do not control (model providers, payment processors, cloud infrastructure providers); social engineering; physical attacks; denial-of-service; rate-limit bypass that requires more than 5 r/s; automated scanner output without proof-of-concept; missing security headers without demonstrable impact.

Send reports to security@acedly.ai. Use a clear subject line that begins with [SECURITY]. Encrypt sensitive payloads with our PGP key if you have one available; if not, send the report in plain text and we will move the conversation to encrypted channels on first reply.

• Include a concise title and a one-paragraph impact summary.
• Include a reproducible proof-of-concept — minimal steps, sample inputs, and the affected URL or binary build.
• Include the date and time of your testing in UTC, and any account identifiers you used.
• Do not include third-party data, customer data, or credentials you obtained during testing — describe the path to access without exfiltrating.

If you make a good-faith effort to comply with this policy, AcedlyAI commits to: (i) consider your research authorized for the purposes of any applicable computer-misuse, anti-circumvention, or trade-secret law in the jurisdictions where we operate; (ii) not pursue civil action or initiate criminal complaint against you for the research; and (iii) work with you to understand and resolve the issue quickly.

The safe-harbor commitments above do not apply if you: extract, retain, or share customer data; pivot from a finding into unrelated systems; conduct testing that disrupts the service for live interview sessions; threaten the company or its customers; or publish details of an unfixed vulnerability before the disclosure window agreed upon below.

• Acknowledgment: within 3 business days of your report.
• Triage and severity assessment: within 5 business days.
• Critical and high-severity fixes: deployed within 30 days when feasible; we will brief you if a longer window is required and explain why.
• Coordinated public disclosure: 90 days after the report, or sooner if a fix is shipped and confirmed earlier. We will credit you by name or handle of your choice unless you ask us not to.

AcedlyAI does not currently run a paid bug bounty. We acknowledge confirmed reports in the AcedlyAI Security Hall of Thanks (published when the fix ships) and offer occasional product credits at our discretion. We expect to launch a paid program after the v2 desktop client ships.

• All traffic to acedly.ai and app.acedly.ai is served over TLS 1.2+ with HSTS enabled.
• Account credentials are hashed using industry-standard work-factored algorithms; we never store plaintext passwords.
• Audio captured during a live interview session is processed through streaming speech-to-text and is not retained beyond the session unless the user explicitly enables session replay.
• Screen content captured for coding-platform context is processed locally on the user's device by default; only the redacted text representation needed for the model is transmitted.
• Production access is limited to named engineers, MFA-enforced, and audit-logged.
• Quarterly third-party penetration tests on the web application; the most recent report's executive summary is available on request to enterprise customers under NDA.