VoiceAIWrapper Vulnerability Disclosure Policy

VoiceAIWrapper Vulnerability Disclosure Policy

Effective Date:

Effective Date:

Effective Date:

Aug 28, 2025

Last Updated

Last Updated

Last Updated

Aug 28, 2025

Introduction

We at VoiceAIWrapper are committed to strengthening the security of our voice AI platform and services, thus welcoming security researchers to disclose any vulnerabilities found directly to us.

This policy describes how VoiceAIWrapper works with the security community in the context of finding and responsibly reporting security vulnerabilities.

Reading this policy prior to reporting any security vulnerability is mandatory as it clearly describes what is not allowed, what is allowed and how these vulnerabilities can be reported responsibly. Failing to follow this policy will reduce the chance of a response to your vulnerability report and the chance of recognition.

Conditions

Security researchers MUST NOT:

  • Disrupt VoiceAIWrapper systems or services.

  • Modify or destroy data of VoiceAIWrapper systems or services.

  • Disclose any found vulnerabilities to the public or third parties.

  • Violate the privacy of VoiceAIWrapper users, employees, systems or services.

  • Use high-intensity invasive, automatic or destructive scanning / exploit tools.

  • Require financial compensation under threat of withholding or release of vulnerabilities to the public.

  • Use the discovered vulnerability in any way beyond proving / demonstrating its existence (e.g., exploit the vulnerability to pivot to internal systems, compromise a system and persistently maintaining access to it, etc).

  • Use social engineering, spam or phishing techniques.

  • Submit documents in any format other than .pdf or video files.

  • Access or modify our service data, or customer communications beyond what is necessary to demonstrate the vulnerability.

In order to protect our customers and services, we ask security researchers to securely delete any data retrieved during research as soon as the data is no longer required or within a month of the vulnerability being resolved, whichever occurs first.

Reporting

If you believe you've discovered a security vulnerability in one of our services, please email us at team@newxp.co.

A vulnerability report should contain:

  • Detailed description of the discovered vulnerability and its potential impact

  • Date and time when the vulnerability was discovered

  • Detailed description of the steps required to recreate the vulnerability

  • PoC scripts / sample code used to trigger the vulnerability if any

  • Any additional information, screenshots or recordings

After receiving your report, we will:

  • Investigate and verify the presence of the vulnerability

  • Address the vulnerability, assess its relative severity and develop a fix, if deemed relevant

  • Notify you when the vulnerability has been fixed

We also ask for a reasonable time to respond to a report and address the discovered vulnerability. Fixes and mitigations are prioritized depending on the impact severity and ease of exploitation. We will make our best effort to communicate every update throughout the entire process. Researchers are welcomed to inquire about updates within reason (no more than once every 14 days).

If you do find critical information, such as Personal Identifiable Information, or financial information, please include the urgency of the matter in the subject line of your email to our security team.

Out-of-Scope Vulnerabilities

  • TLS/SSL configuration weaknesses (e.g., weak / insecure cipher suites, renegotiation attacks).

  • Vulnerabilities obtained via the compromise of a VoiceAIWrapper customer or VoiceAIWrapper employee accounts.

  • Denial of Service (DoS / DDoS) attacks against VoiceAIWrapper systems or services.

  • User interface bugs or typos.

  • Missing HTTP security headers that do not lead directly to a vulnerability.

  • Presence / absence of DNS records.

  • Password, email and account policies (e.g: email id verification, password complexity).

  • Lack of CSRF tokens in non-sensitive actions.

  • Attacks requiring physical access to a user's device.

  • Report the use of a known-vulnerable library (without evidence of exploitability).

  • Missing cookie flags without clearly identified security impact.

  • CSRF or clickjacking with no practical use to attackers.

  • CSRF that requires the knowledge of a secret.

  • Exposed metrics or other type of not confidential data.

  • Missing best practices, configuration or policy suggestions.

  • Vulnerabilities that require a man-in-the-middle scenario to be exploited.

  • Issues related to third-party provider (listed in our Sub-processors List) that should be reported directly to those services.

Previously reported vulnerabilities or security vulnerabilities already discovered by internal procedures are not eligible for recognition.

Recognition

Vulnerabilities reported and acknowledged to be valid are subject to public recognition of the author on our Security Hall of Fame page, depending on the criticality of the vulnerability.

Additional recognition may include:

  • Professional LinkedIn recommendation from our security team

  • Professional reference for job applications

Safe Harbor

VoiceAIWrapper will not take legal action against security researchers who submit vulnerability reports as per the terms indicated in this document or for accidental, good faith violations of this policy, as long as the reason for the accidental / good faith violation has been clearly stated.

Legal

VoiceAIWrapper reserves the right to modify the terms and conditions of this policy. By reporting a security vulnerability to VoiceAIWrapper on or after that effective date, you agree to the then-current Terms.