Aivie Responsible Disclosure Program

Aivie takes security seriously. If you discover a security vulnerability in an Aivie system, please report it to us responsibly.

This is a Responsible Disclosure Program with voluntary rewards. It is not a public bug bounty program with guaranteed payouts. Rewards are granted at Aivie’s sole discretion and depend on impact, reproducibility, report quality and compliance with these rules.

Report a Vulnerability

Please submit security reports through our disclosure form:

Your report should include:

  • Affected domain, URL or system
  • Clear description of the vulnerability
  • Step-by-step reproduction instructions
  • Technical impact
  • Screenshots or short videos, if useful
  • No unnecessary customer data
  • No public disclosure before written approval from Aivie

Scope

Only systems explicitly operated by Aivie are in scope:

  • aivie.ch
  • app.aivie.ch
  • app.aivie.work
  • Official Aivie demo, staging or customer environments, only if explicitly approved by Aivie

The following are out of scope:

  • Customer systems without explicit written approval
  • Third-party services
  • Social media accounts
  • Physical infrastructure
  • Employees, partners or customers
  • Private devices or accounts

Rules

Only careful, non-disruptive testing is allowed.

The following activities are strictly prohibited:

  • Denial of service testing
  • Load testing or automated mass scanning
  • Social engineering
  • Phishing
  • Spam
  • Physical attacks
  • Accessing real customer data beyond the absolute minimum needed to prove the issue
  • Data exfiltration
  • Persistence mechanisms
  • Malware
  • Modifying or deleting data
  • Tests that may affect availability, integrity or confidentiality of Aivie systems

Any violation of these rules makes the report ineligible for a reward.

Rewards

Rewards are voluntary and only apply to valid, reproducible and security-relevant reports.

Indicative reward ranges:

SeverityReward
LowCHF 50
MediumCHF 150–250
HighCHF 500–750
CriticalCHF 1’000–1’500

Maximum reward per report: CHF 1’500
Maximum monthly reward budget: CHF 2’000

Similar or related reports may be grouped together and rewarded only once.

Examples of Eligible Findings

Low:

  • Minor information disclosure with a clear security relevance
  • Weak configuration with proven practical impact

Medium:

  • Cross-site scripting with realistic impact
  • Broken access control with limited data exposure
  • Bypass of a security control without access to sensitive data

High:

  • Access to another tenant’s contacts, campaigns or customer data
  • Account takeover under realistic conditions
  • Relevant tenant isolation weakness

Critical:

  • Remote code execution
  • Access to large amounts of customer data
  • Full tenant escape
  • Unauthorised administrative access

Findings Usually Not Eligible for Rewards

We generally do not reward:

  • Reports without a reproducible proof of concept
  • Automated scanner reports without validated impact
  • AI-generated reports without technical substance
  • Missing security headers without concrete impact
  • Clickjacking on non-sensitive pages
  • Self XSS
  • Logout CSRF
  • Missing rate limits without proven impact
  • Username enumeration without additional impact
  • Publicly known software versions without an exploit path
  • SPF, DKIM or DMARC suggestions without concrete exploitability
  • TLS or SSL best practice findings without a realistic attack path
  • Theoretical reports without practical proof
  • Reports affecting outdated browsers only
  • Reports about third-party services
  • Duplicate reports
  • Already known issues
  • Findings that require admin access
  • Findings that only affect self-controlled accounts
  • Reports involving unnecessary access to customer data
  • Data exfiltration
  • DoS, DDoS or performance findings
  • Social engineering or phishing scenarios
  • Physical attacks
  • Spam or mail reputation tests

Disclosure

Vulnerabilities must not be publicly disclosed before Aivie has confirmed the fix and explicitly approved publication in writing.

If Aivie has not provided a remediation plan or approved publication within 90 days of the initial report, the reporter may proceed with coordinated public disclosure after giving Aivie 7 days’ written notice. Aivie may request a one-time extension of up to 30 days for critical vulnerabilities requiring additional remediation time.

Safe Harbour

Aivie will not initiate legal action against researchers who discover and report security vulnerabilities in good faith and in compliance with these rules. We consider such research to be authorised under applicable law. If third parties initiate legal action against a researcher who has acted in accordance with this program, Aivie will make clear that the researcher’s activities were conducted with our knowledge and approval.

Response Times

Aivie aims to review reports in a timely manner. However, no specific response time or remediation time is guaranteed.

Reward Payment

For reward payments, Aivie may require an invoice or suitable payment details. Recipients are solely responsible for any tax obligations arising from rewards received. Aivie may refuse payment if the report violates these rules or does not demonstrate relevant security impact.