Ada Support

Legal Resources

Vulnerability Disclosure

Effective August 31, 2022

No technology is perfect, and Ada believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Scopes

The following domains and applications are within the scope of this program:

  • Ada Chat Tool
  • ada.cx

Only severe vulnerabilities that affect our users, services, or infrastructure will be accepted for third-party applications, others will be reported/forwarded to the third-party vendor for the application.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or third-party
  • Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for a bounty
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder

Exclusions

While researching, we’d like to ask you to refrain from:

  • Denial of service to Ada services or customers’ services
  • Degrading performance or service of Ada services or our customers’ services
  • Spamming (even self-spamming)
  • Social engineering (including phishing) of any Ada staff or contractors
  • Any physical attempts against Ada or Ada’s customers’ property or data centers
  • Accessing private information of Ada’s customers

Eligibility

In order to be eligible for a bounty, you must meet the following requirements:

  • You must be the first reporter of the vulnerability
  • Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
  • You must not publicly disclose the vulnerability without our prior discretion
  • Vulnerability must have a clearly identified security impact and presented with enough information for investigation and reproduction by Ada staff
  • You must not have compromised the privacy of Ada’s users or otherwise violated Ada’s Rules; When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Ada’s users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken
  • You must execute an Attestation of Data Deletion before any payment will be issued
  • You must comply with Ada’s Privacy Policies

Any vulnerabilities reported with the following criteria are not eligible for a bounty:

  • Attacks requiring physical access to a user’s device
  • Any physical attacks against Ada property or data centers
  • Bypass of URL malware detection
  • Affecting an ineligible scope
  • Bugs caused by third-party websites
  • Only affecting outdated browsers/platforms
  • Only affecting the executing user (self-XSS and similar)
  • Caused by misbehaving third-party software/website
  • Applicable only through social engineering
  • Pretense being you already have access to affected account (or user’s browser)
  • Vulnerabilities considered by Ada to be of low severity

How to Submit

If you would like to report a vulnerability, please contact security@ada. support with a proof of concept, list of tools used, and the output of the tools. Once received, Ada will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to address it.

Fine Print

All reports are reviewed on a case-by-case basis. Ada will determine in its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Thank you for helping keep Ada and our users safe!