Upcoming live webinar – Ai in Insurance Claims: Myths, Realities & The ExCo Gap

Request a demo
Request a demo

Security Policy

Sprout.ai Vulnerability Disclosure Policy

Security.txt

Sprout.ai values the security of our systems and the privacy of our data. We recognise the vital role that security researchers and the community play in keeping systems safe. This policy explains how to report vulnerabilities to us and what you can expect in return.

1. How to Report

If you believe you have discovered a security vulnerability in our systems, please report it to us directly.

  • Email: dpo@sprout.ai
  • Format: Please verify the vulnerability is not a false positive before reporting. Include as much detail as possible:
  • Source: The website, IP, or page where the vulnerability exists.
  • Description: A brief description of the vulnerability.
  • Reproducibility: Steps to reproduce the issue (proof of concept).
  • CVSS Score: Please include the CVSS Score (using the latest calculator).

When you report a vulnerability to us, we commit to the following:

  • Acknowledgment: We will acknowledge receipt of your report promptly (aiming for within 5 business days).
  • Assessment: We will triage the report to confirm the vulnerability and assess its severity.
  • Updates: We will keep you informed of our progress. You do not need to sign a Non-Disclosure Agreement (NDA) to report a vulnerability.
  • Resolution: We will work to fix the issue. We ask that you maintain confidentiality until we have remediated the vulnerability.

In Scope:

  • https://sprout.ai/ website and subdomains.
  • ai application services.

Out of Scope:

  • Denial of Service: Volumetric Denial of Service (DoS/DDoS) attacks.
  • Data Integrity: Any attempt to modify, delete, or corrupt data (including database records) is strictly prohibited.
  • Database Exfiltration: Bulk extraction or downloading of database content.
  • Social engineering (phishing, vishing, deepfakes).
  • Physical security attacks.
  • Automated scanning tools that generate high volumes of traffic.

Sprout.ai considers vulnerability disclosure a helpful activity. We will not pursue legal action against you or ask law enforcement to investigate you if you:

  • Act in good faith and follow this policy.
  • Report the vulnerability to us exclusively and do not disclose it publicly until given permission or the issue is fixed.
  • Do not exploit the vulnerability to view, delete, or modify data beyond what is necessary to prove the flaw.
  • Do not degrade the performance of our services for legitimate users.

If you are in doubt about whether your actions are consistent with this policy, please contact us at dpo@sprout.ai before proceeding.