Ada Support

Legal Resources

Vulnerability Disclosure Program

Last Updated: August 12, 2024

No technology is perfect, and Ada believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve discovered a vulnerability in our product or service, we encourage you to disclose it to us responsibly. We welcome working with you to resolve the issue promptly.

Before reporting a vulnerability, please review the guidelines outlined below. By participating in Ada’s Vulnerability Disclosure Program, you agree to be bound by these guidelines.

Thank you for helping keep Ada and our users safe!

Ada’s Commitment to Researchers

  • Ada will maintain trust and confidentiality in our professional exchanges with security researchers
  • Ada will treat all researchers with respect and recognize their contribution for keeping our customers safe and secure
  • Ada will work with researchers to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy
  • Ada will investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability

What Ada Asks of Researchers

  • Researchers will communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for Ada’s team to validate and address potential issues
  • Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Researchers will only interact with instances of Ada’s AI Agent which they own or with the explicit permission of the instance owner (a free trial instance of Ada’s AI Agent can be requested by visiting https://www.ada.cx/trial/)
  • Researchers will provide the technical details and background necessary for Ada to identify and validate reported issues, using the form at the bottom of this page
  • Researchers will act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues.

Vulnerability Definition

Ada defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.

Scope

The following domains and services are within scope:

  • Ada’s Corporate Website (https://www.ada.cx)
  • Ada’s AI Agent Service (e.g. embedded chat, management dashboard, etc.)

NOTE: Testing against instances which you have not generated is strictly prohibited. A personal free trial instance can be generated by visiting https://www.ada.cx/trial/

Prohibited Activities

The following activities are strictly prohibited:

  • Any testing against or interaction with Ada’s customers’ without explicit consent
  • Denial of service to Ada services or customers’ services
  • Degradation of service to Ada services or our customers’ services
  • Public exposure of vulnerabilities as part of a proof of concept (e.g. website defacement)
  • Spamming (even self-spamming)
  • Social engineering (including phishing)
  • Physical access attempts against Ada or Ada’s customers’ property or data centers
  • Accessing private information of Ada’s customers

Submission Requirements

The following conditions are required for a submission to be considered valid:

  • The vulnerability must not have been previously identified
  • You must not have performed any of the above listed Prohibited Activities
  • The vulnerability must not involve any of the above listed Prohibited Activities
  • The vulnerability must have a clearly identified and significant impact to the integrity, availability or confidentiality of Ada’s products and/or services
  • The vulnerability must not have a remediation or mitigation in development
  • The vulnerability must be associated with a domain or service that is in scope
  • The vulnerability must not be publicly disclosed without Ada’s consent
  • The vulnerability must not require physical access to a device
  • The vulnerability must not require bypass of URL malware detection
  • The vulnerability must not only affect outdated browsers/platforms
  • The vulnerability must not only affect the executing user (e.g. self-XSS)
  • The vulnerability must not be a result of misbehaving third-party software, websites, systems, etc.
  • The submission must include enough information for investigation and reproduction
  • You must not have compromised the privacy of Ada’s users or otherwise violated Ada’s Rules; When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Ada’s users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken
  • You must comply with Ada’s Privacy Policies

How To Submit

Submissions may be sent via the form at the bottom of this page.

Reward Policy

Ada runs a Vulnerability Disclosure Program, which does not offer guaranteed rewards for submissions.

Fine Print

  • You must comply with all applicable laws in connection with your participation in this program
  • This program and accompanying terms may be modified or terminated at any time
  • Any changes to this program or accompanying terms will not be applied retroactively