Vulnerability Disclosure Policy
Last updated: July 6, 2026
Related: Trust & security · Privacy Policy · Privacy & Data Standards · security.txt
Overview
SmishAlert LLC ("SmishAlert") builds software that handles sensitive messaging and security-reporting data for organizations and individuals. We welcome good-faith reports of security vulnerabilities in our products and take remediation seriously.
This Vulnerability Disclosure Policy ("VDP") describes how to report issues, what is in scope, and how we respond. It is not a bug bounty program: we do not offer monetary rewards for vulnerability reports, including findings related to email authentication, DNS hygiene, or generic scanner output.
In scope
We are interested in vulnerabilities that materially affect the confidentiality, integrity, or availability of SmishAlert services or customer data — for example:
- Authentication, authorization, or session management flaws
- Cross-tenant data access or isolation failures
- Remote code execution, injection, or unsafe deserialization in our applications or APIs
- Sensitive data exposure (credentials, message content, PII, tokens, or tenant metadata)
- Privilege escalation within the organization console or mobile apps
Systems covered:
- www.smishalert.ai and other SmishAlert-operated web properties linked from our marketing site
- SmishAlert web console and authenticated organization APIs
- SmishAlert iOS and Android mobile applications (current App Store / Play Store releases)
- Backend services that process SmishAlert tenant, reporting, and authentication data
- SmishAlert-operated subdomains explicitly referenced in product documentation (for example crm.smishalert.ai)
Out of scope
The following are generally not accepted as actionable vulnerability reports under this policy:
- Missing or misconfigured DNS records (SPF, DKIM, DMARC, MTA-STS, BIMI, TLS-RPT) without a demonstrated exploit path against SmishAlert applications
- Security headers, cookie flags, or TLS configuration on marketing pages where no vulnerability is demonstrated
- Clickjacking, tabnabbing, or self-XSS that requires significant user interaction with no realistic impact on other users or tenants
- Denial-of-service, load testing, or volumetric traffic against production infrastructure
- Social engineering of SmishAlert employees, customers, or partners; physical access attempts; spam or support-ticket abuse
- Issues in third-party services (Google, Firebase, Stripe, Neon, Vercel, Cloudflare, Apple, Google Play) except where SmishAlert configuration clearly introduces cross-tenant or data-exposure risk
- Vulnerabilities affecting outdated or unsupported app versions when a fix is available in the current release
- Reports from automated scanners or checklists without a validated proof of concept and business impact
Infrastructure hygiene (such as MTA-STS or DMARC tuning) may still be tracked internally, but it does not qualify for acknowledgment under this program unless you demonstrate exploitability against SmishAlert applications or tenant data.
How to report
Email security@smishalert.ai with the subject line Security report. Encrypt sensitive details if your mail client supports TLS (standard for modern providers).
Please include:
- Description of the issue and the affected component (URL, API route, app build, tenant scenario)
- Steps to reproduce, with screenshots or video where helpful
- Proof of concept demonstrating impact (keep exploitation minimal and non-destructive)
- Your assessment of severity and affected data or users
- Whether you are the original finder and whether the issue has been disclosed elsewhere
Do not publicly disclose, sell, or exploit vulnerabilities beyond what is necessary to demonstrate impact. Do not access, modify, or exfiltrate data belonging to other customers.
General product support remains at support@smishalert.ai. Route security issues to security@smishalert.ai so they reach the right team.
Safe harbor
If you make a good-faith effort to comply with this policy — including avoiding privacy violations, service disruption, and access to data that is not your own — SmishAlert will not initiate legal action against you for your research. We ask that you stop testing and notify us immediately if you encounter customer data or cross a scope boundary.
Safe harbor applies to researchers acting in accordance with this VDP. It does not apply to extortion, ransom demands, or reports submitted primarily to solicit payment.
Our commitments
- Acknowledgment: we aim to confirm receipt within 5 business days for in-scope reports that include enough detail to triage.
- Status updates: we will provide reasonable progress updates while an issue is open.
- Remediation: we prioritize by severity and exploitability. Critical issues affecting customer data or tenant isolation are handled urgently.
- No bounty: we do not pay for reports under this policy. We may offer public credit with your permission (see Acknowledgments).
Coordinated disclosure
We prefer coordinated disclosure. Please allow us up to 90 days to investigate and remediate before any public disclosure, unless we agree otherwise in writing. We will work with you on a reasonable timeline for complex issues.
If you believe an issue is being actively exploited in the wild, say so in your report — we may accelerate remediation and communication.
Prohibited conduct
- Testing against customer tenants or accounts you do not own or have written authorization to test
- Destructive attacks, ransomware, or modification of production data
- Spamming, phishing, or social engineering SmishAlert personnel or users
- Automated scanning at a rate that impairs service availability
- Demanding payment, bounty payouts, or threatening disclosure to extract compensation
Acknowledgments
We maintain this section for valid, in-scope reports where the reporter has agreed to public recognition. There are no published acknowledgments at this time.
If you would like to be credited after we resolve an issue, tell us your preferred name and link in your report.
Policy changes
We may update this policy as our products and legal obligations evolve. Material changes will be reflected on this page and in our security.txt file. The canonical policy URL is https://www.smishalert.ai/security.
Contact
Security reports: security@smishalert.ai
SmishAlert LLC · Dallas, TX · support@smishalert.ai