Security Disclosure Policy

Digitlify takes the security of its customers, its platform, and the broader internet community seriously. We welcome reports from security researchers and community members about potential vulnerabilities in our platform, our products, or our infrastructure.

This page sets out how to report a vulnerability, what you can expect from us in return, what is in and out of scope, and the safe-harbor terms under which we will not pursue legal action against good-faith researchers.

Please report suspected vulnerabilities to [email protected].

A good report includes:

• A clear description of the vulnerability and its potential impact
• Reproduction steps, including any proof-of-concept code or screenshots
• The affected URL, endpoint, or component
• The version, browser, or environment where you observed the issue
• Your contact information for follow-up (optional but encouraged)

If you need to send sensitive material, request our PGP key by email and we will respond with the public key within one business day.

The following assets are in scope for this policy:

• digitlify.com and all subdomains
• digitlify.io and all subdomains (QA environment)
• The Digitlify portal, marketplace, and Digital Office control plane
• Public API endpoints documented at /docs
• The workforce runtime and agent execution layer

The following classes of finding are considered out of scope:

• Social engineering of Digitlify employees, contractors, or customers
• Physical attacks against Digitlify or its hosting providers' facilities
• Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
• Volumetric brute-force attempts against login or rate-limited endpoints
• Missing best-practice headers that have no demonstrable impact
• Findings from automated scanners without a working proof-of-concept
• Self-XSS or issues requiring prior compromise of the user device
• Vulnerabilities in third-party services that we consume but do not control

If you make a good-faith effort to comply with this policy, Digitlify will not initiate legal action against you for accessing or probing our systems. Specifically, we consider research conducted under this policy to be:

• Authorized under applicable anti-hacking laws (including CFAA)
• Exempt from restrictions in the Digital Millennium Copyright Act (DMCA) for good-faith security research
• Exempt from our Terms of Service and Acceptable Use Policy insofar as they would otherwise prohibit the research

We expect you, in return, to:

• Give us reasonable time to investigate and fix before public disclosure
• Make a good-faith effort to avoid privacy violations and data destruction
• Not exfiltrate customer data beyond what is needed to prove the finding
• Not use findings to pivot, persist, or extract non-public data
• Comply with all applicable laws

Once we receive a report, we will:

1. Acknowledge receipt within 2 business days
2. Provide an initial assessment within 5 business days
3. Work with you on a resolution timeline (typically 30–90 days)
4. Notify you when a fix has shipped
5. Coordinate public disclosure if you wish to publish your findings

Critical findings (remote code execution, authentication bypass, customer-data exposure) receive priority and may be patched within hours.

Digitlify does not currently operate a formal bug-bounty program with monetary rewards. We do maintain a Security Researcher Hall of Fame — researchers who report valid, impactful findings are recognized publicly with their consent, and we will happily provide a reference letter or a recommendation for use in your portfolio or job applications.

As our customer base and revenue grow, we plan to introduce a paid bounty program. This will be announced on this page.

• Security reports: [email protected]
• PGP key: available by email on request
• General trust & security page: /trust