Vulnerability Disclosure

No technology is perfect, and Ada believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We appreciate responsible disclosure from the security community and invite researchers to help us keep Ada safe.

Ada’s Commitment to Researchers

Ada will maintain trust and confidentiality in our professional exchanges with security researchers
Ada will treat all researchers with respect and recognize their contribution for keeping our customers safe and secure
Ada will work with researchers to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy
Ada will investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability

What Ada Asks of Researchers

Researchers will communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for Ada’s team to validate and address potential issues
Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
All testing must be conducted against Ada’s dedicated testing/staging environment, which is configured to mirror production for security evaluation
Researchers will provide the technical details and background necessary for Ada to identify and validate reported issues, using the form at the bottom of this page
Researchers will act in good will, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues

Vulnerability Definition

Ada defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services

Scope

1) Private Invite-Only Program Setup

Ada’s Vulnerability Disclosure Program operates as a private, invite-only program in partnership with Bugcrowd. Participation is limited to researchers explicitly authorized by Ada. Access requires an invitation and acceptance of an NDA provided by Ada or Bugcrowd.

In-scope:

Corporate website (ada.cx and subdomains expressly designated in the program)
Ada’s AI Agent Service (e.g. embedded chat, management dashboard, etc.)

2) Testing / Staging Environment

All testing must be conducted against Ada’s dedicated testing/staging environment, which is configured to mirror production for security evaluation.

Not permitted without prior written authorization:

Testing against production systems
Actions that could impact availability, integrity, or confidentiality of production data

Prohibited Activities

The following activities are strictly prohibited:

Any testing against or interaction with Ada’s customers’ without explicit consent
Denial of service to Ada services or customers’ services
Degradation of service to Ada services or our customers’ services
Public exposure of vulnerabilities as part of a proof of concept (e.g. website defacement)
Spamming (even self-spamming)
Social engineering (including phishing)
Physical access attempts against Ada or Ada’s customers’ property or data centers
Accessing private information of Ada’s customers

Submission Requirements

The following conditions are required for a submission to be considered valid:

The vulnerability must not have been previously identified
You must not have performed any of the above listed Prohibited Activities
The vulnerability must not involve any of the above listed Prohibited Activities
The vulnerability must have a clearly identified and significant impact to the integrity, availability or confidentiality of Ada’s products and/or services
The vulnerability must not have a remediation or mitigation in development
The vulnerability must be associated with a domain or service that is in scope
The vulnerability must not be publicly disclosed without Ada’s consent
The vulnerability must not require physical access to a device
The vulnerability must not require bypass of URL malware detection
The vulnerability must not only affect outdated browsers/platforms
The vulnerability must not only affect the executing user (e.g. self-XSS)
The vulnerability must not be a result of misbehaving third-party software, websites, systems, etc.
The submission must include enough information for investigation and reproduction
You must not have compromised the privacy of Ada’s users or otherwise violated Ada’s Rules; When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Ada’s users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken
You must comply with Ada’s Privacy Policies

How to Participate

Our program is invite-only. To express interest, contact security@ada.support with your researcher profile and relevant experience. If invited, you’ll receive Bugcrowd access details and the current asset list.

Reporting Guidelines

Please include:

Detailed description of the issue and potential impact
Steps to reproduce and affected endpoints
Proof-of-concept (PoC) that demonstrates exploitability without harming data or availability
Suggested remediation, if available

We will acknowledge receipt, triage the report, and keep you updated through Bugcrowd.

Reward Policy

Ada runs a Vulnerability Disclosure Program, which does not offer guaranteed rewards for submissions.

Fine Print

You must comply with all applicable laws in connection with your participation in this program
This program and accompanying terms may be modified or terminated at any time
Any changes to this program or accompanying terms will not be applied retroactively