1. Introduction
Handover AI welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
2. Systems in Scope
- The www.handrails.ai and app.handrails.ai websites and infrastructure
- Any public (internet-facing) infrastructure owned and operated by Handover AI
- e.g. CDN, firewalls, NAT gateways, S3 buckets
- SSO vulnerabilities (both Handover AI as IdP into third-party systems and vice versa)
3. Out-of-Scope
- Attacks that are likely to degrade the Handover AI service including:
- Denial of Service (DoS or Distributed DoS) attacks
- Brute force attacks
- Spam
- Attacks that are likely to corrupt or encrypt Handover AI data
- Social engineering or phishing attacks against Handover AI employees or customers
- Reports on non-compliance with best practices where no explicit vulnerability has been identified
4. Official Communication Channel
Contact us via email (security@handrails.ai) with a detailed report of the potential vulnerability.
The email should include as much of the following information as possible:
- Your name and contact information
- The type of vulnerability
- Which system(s) are affected
- Step by step instructions for reproducing
- Screenshots and/or other evidence of the vulnerability
If the report contains sensitive or confidential information then please encrypt it with our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGc2ySsBEAC6l2e8lWAbry4utYKVFiJJVPE0mn697ZvY9PkeVHYQ3nc21K56
ZlDUCI7iysDE9rxvatPoYBZhUiSUusqPL0V/E4zzcqnbRtAvZagAh2HLcqwhnGNU
COUvJhCHOS/DEiq0nWRWfungU7irbhcGy+IYErh//yZCLtK2afIg/5tMnDrImzn7
TRt14npvSqZkNlT9j9AzuUVDoQlVIEs7frwuJ0QnlIDbSFyS3mL3H26gHhmhIcCO
FoICuKYUdtOKv08vkgZndJQB3MaixaAx8YoQVgUGXtwFP4o5iu8i3Y3925BPKZEE
8T4OHx2/eZ57WpOzVM4wSkw6txRguovGpXKZc0eirPdG14b3dfAnFYdZU2TYgg4K
+MZ/7u1FjnobrWBksJ/2ON2cDA8gVdkYzEehoLAprKY+btluVpcO+G3NS29HolTG
KTIlvrmz+0XfoDODk48lNNqBNicux6iZ99zhP5hEIs/vNHB0VbkGnofrxVSslNS6
Fs9ILQePj2SPqF/6yCNVl5XdLJUFeg/kitw0MEiwsQdwgqJ/jLwP9Xek57tVTgdD
nyYb6n6E0ydo86qi0Kd6z45c8FDxZ4UObUOhjImBPX6g7mIoKGB118E8w33eLPAY
VWqCAE4Q0XhL5YtdVMeRZ1bU1/5+SjYs5vCHYdm7riXb58v4aEjRym4SRQARAQAB
tCJIYW5kb3ZlciBBSSA8c2VjdXJpdHlAaGFuZG92ZXIuYWk+iQJOBBMBCAA4FiEE
6oDZs1Ls+QlziyPfpG+2kOK0fakFAmc2ySsCGwMFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQpG+2kOK0falTQRAArJ+8lRHcjld+UysqpCV82pxfb3k+6RC8AlQu
kzdcq4syBIvQmnah26LVIM5ydoeyxtzqR/qzE18RY0mcMWz/uCbjk+f6y3mpMtWW
8QqIGhto5vg+KtYHL7eyIhJqnaUIbEV6vJ36Ux0P0uwi37bJ1nRH9GLSCwUE+xak
wkQUdQCe6XcV3kZAHhIB9bDv3OxKxs1oYO9frR8sT1pEF5HMkzQyaDIE2LXx8i5l
jyMkSs7yNBW/2yzpbP3WmDRc0pKZ9JAMlw31Px1pEbLmKpPerdSvvDAwA+40ARvP
Gey7TkMLkkMvFBAWqWWxeedIGj2/I84SmwLgY6fvuGklbBnU6wOQDoGOEvD81EgN
4C6hNm9G2OQBtORP9hglGHDM2jSbD3ff1zFTUSXw+F5WzycSBXodZ20h/DAojNBo
mgeVPwp8uXzhe69o0mZCOhprk0F2vKAR8pnZ299WHh6YbhsqM5cetu8YLn054diW
IQkKW8M2N+JgexLQ1fsPgQrOG7I1NtYhvZ8n3Wuz0EADVeJsAVjjAr9h5oZlbdYg
6o0Azu2g1CvOPwbRMw80PFzXDLowcy3thchWcJ8b1azbBOkqv/QfOh0gepLIOA3C
sGNa2eeVN+jQkDVRCZExORsM7uCcpmn3kcInVt/ERe4B3w9/sQli7Cb1C7F5+xGB
SFt2unm5Ag0EZzbJKwEQALjzSmBXQuxYyKmGZ/oAxaT38Cr3GpbET7F3nfKPcoHc
qMi2ZDantj4gdsIFjTPkbBMn1Nj/3hcwUDDHSENHLOI4W291vkc4mkJgx7w/XREk
Ea0sTp1ehi1bWmzivQOw+WyigwA2wnVvkgNciC2DvjxD31HaIi0SlOZMRPXC1flQ
nLHjwX96WuGlYhiwvQ7N+6q3DRwrWEUT2OPCaWUoZ08mkY0EiH779XJc1vh3BGG/
GIWcl4aFSKq4ScFOEHBFADX2CrS0wGSZQIUvZPZPBrksfhu7gtWGJiIForsVNYgT
nSUB8uW4iBgiFjthDZUPKbmLgh6DqMLBE36UJugycbc9r9R8bAU9EkUuQPCR1HlZ
Dtb/wGoINpum1A090FsUb7rHtY+Tuj4mGUyc21xrCL229jKZel5pBjfk9zuxhJn2
LqTJwzORSC1wDOKg4vPnqP42ONCB9QU25Mu6EgGS+eU8LmozZOi9aPMu5kFbAEfq
juHOcEFuXJeSe6wDKVNusuUKuG9N40piRuoFmM/HO4PMmLONF6mo4Hsdad1x1qhY
+PBj6Q+l6sdj1jJ1cmgij2aSKRizqL7Q1F/PdHW9pAdFXP+GXf0QX6InIpeHj1+d
fUIL5DTN1IEzG6pJPI1l9nrXAJlia0D3yNBohUxurWmHwTCe8MbtPXRKULKsTSfz
ABEBAAGJAjYEGAEIACAWIQTqgNmzUuz5CXOLI9+kb7aQ4rR9qQUCZzbJKwIbDAAK
CRCkb7aQ4rR9qTFqEACXmjWtKHr/rPhdE+YjiRleOcOYH7iN6eAK+++NdZWbykc6
v1d9AcJbOUZfqilqgQw65WEwj8C6sq6lc9lBpJapCU3OxmVaeBouwd/NYcBjY4BF
jNos9x2uT93ucveXC6m2z/Hisiuhdjw1FQDI672Bh3uGoJb3UIH2yfh2BeJZxs9V
d5A/olOso1DNOBF5/xPSC6JhybHHb2MCJNudKvkxrNFLZAhmOsAqBvsF6h+8pN2J
07AXk3YqhBFxGt3eEyjy7ubl0Ss4I06CmUvp23tvboWU9UsfzxctB9yQMWw2BQKK
NMTKfqTznOEUe2fvp9MXbGqEeXBNzJdWrw9vIazfI+ke33z+xIGdiW9C6LAGpPAk
WtCVFIW1FH4luOpJo6zYLfG2jh5XZmTQP/aDhOWvmHgAnRAjq+DgpJhYVihMhViH
YDKLDQeRY2NJfsF0nvaY/w3rc1ZlQFw+E3vlDSDt4ErcFFf+F7HHtdVe7crA1FCs
JuiaUebKOCq0fTQsUAjm4kNj9rDekZ5gveCvYLT9FWJTDwtNzfUIXruitTIvenzP
zeLf/cX+JiWR/XVdazvreEyaztAk4buqfSDk+KMhCI5iKnaDas15ewanuAOkoSDM
4LUXv3CdPkLEVX04J/wXCbe0e3/VS8+tP7aok/Yf+/oqTY14DQoQIwNaqJjOWw== =dkZo
-----END PGP PUBLIC KEY BLOCK-----
5. Disclosure Policy
Due to the sensitive nature of our data and our commitment to our customers' privacy we do not permit public disclosures under any circumstances.
6. Rewards
Handover AI does not currently offer rewards to vulnerability reporters. Check back for updates though as this is under review and has the potential to change.
7. Expectations
When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is related to this policy;
- Work with you to understand and validate your report, including a timely initial response to the submission; and
- Work to remediate discovered vulnerabilities in a timely manner
8. Ground Rules
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
- Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
9. Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
