Verif·AI
Sign in Run a check
Verif·AI  ·  Security Last updated 23 April 2026 Safe harbour for researchers

Security & Vulnerability Disclosure

Report a finding · We'll respond in 2 business days

Security and privacy are at the core of what we sell. If you believe you've found a vulnerability in Verif-AI, we want to hear from you — and we promise not to take legal action against anyone acting in good faith under this policy.

Report findings to support@verif-ai.co.uk with "Security disclosure" in the subject line. We read every one.

01

Scope

Services operated directly by Verif-AI are in scope:

  • www.verif-ai.co.uk — the marketing site and sign-in
  • app.verif-ai.co.uk — the authenticated dashboard and report generator
  • api.verif-ai.co.uk — the programmatic API (including /api/v1/* endpoints)
  • Email flows originating from @verif-ai.co.uk and @kaisark.ai

Third-party platforms we integrate with (Stripe, Resend, Companies House, Neon, Railway) are out of scope — please report findings on those services directly to the vendor.

02

How to report

Email support@verif-ai.co.uk with "Security disclosure" in the subject line. A high-quality report helps us triage quickly — please include:

  • Affected target, feature, or URL (e.g. app.verif-ai.co.uk/api/v1/...)
  • Description of the problem — what you found and why it matters
  • Impact — what a real attacker could do with this
  • Steps to reproduce — including any accounts, headers, or payloads needed
  • Is this publicly known? Yes / No — and where, if yes

We don't have a PGP key yet. If you need encrypted transit, we'll happily provision one on request.

03

Our response commitment

If your report is in scope and follows this policy, we will:

  • Acknowledge your report within 2 business days
  • Triage and provide an initial assessment within 5 business days
  • Fix critical issues within 30 days, or agree a public timeline with you if remediation is genuinely non-trivial
  • Credit you publicly in our changelog once the fix is live — unless you prefer to remain anonymous

We don't currently offer a paid bounty. We recognise that's a choice, and we make up for it with a fast, respectful response and clear public credit. When we grow into a bounty programme, existing reporters will be given retrospective consideration.

04

Safe harbour

Verif-AI pledges not to initiate legal action against researchers who:

  • Follow this disclosure policy in good faith
  • Avoid privacy violations, data destruction, or service degradation
  • Only interact with their own test accounts
  • Do not exfiltrate, share, or retain personal data beyond what is needed to demonstrate the finding
  • Give us a reasonable window to remediate before any public disclosure

If your research accidentally violates a provision of our Terms of Service, we will treat the research activity as authorised for the purposes of this policy.

05

Out of scope

The following are not eligible under this policy:

  • Any vulnerability obtained by compromising a Verif-AI customer or employee account
  • Missing best-practice, configuration, or policy suggestions without a working PoC (e.g. "you should add HSTS preload")
  • Denial-of-service attacks, rate-limit probing, or volumetric testing
  • Physical attacks on Verif-AI staff, offices, or data centres
  • Social engineering of Verif-AI staff, contractors, vendors, or service providers
  • Uploading, transmitting, or linking to malware
  • Unsolicited bulk messaging (spam) or unauthorised outbound messages
  • Clickjacking on pages with no sensitive actions
  • Third-party vendor bugs unrelated to our integration
  • Automated scanner output without a working PoC for a specific vulnerability
  • Previously known vulnerable libraries without a working PoC
  • SSL / TLS configuration reports already flagged by standard scanners without demonstrable impact
06

Guidelines for researchers

Please be considerate when testing:

  • Test on your own account. Don't create an unnecessary number of accounts
  • No unusual load. Keep request volumes reasonable — probe, don't hammer
  • Stop when you've proven the vulnerability. Read-only access is enough to demonstrate most classes of bug
  • No data exfiltration beyond the minimum needed to prove the finding. Redact or delete anything you do see
  • Do not modify, delete, or exfiltrate other users' data under any circumstance
  • Do not post publicly until we've researched, fixed, and (where customers are affected) notified them
07

Privacy incidents

If your finding relates to personal data (GDPR / UK Data Protection Act 2018) — for instance, data exposure, unauthorised access, or broken access controls on user data — mark the email "GDPR disclosure" instead. We treat privacy incidents as a separate workstream with its own response chain, and we have a regulatory 72-hour clock we need to respect.

08

machine-readable (security.txt)

Per RFC 9116, a machine-readable copy of this contact is available at /.well-known/security.txt. Researcher tools should pick it up automatically.

Governing law. This policy and the use of Verif-AI are governed by the laws of England & Wales.

Contact. Kaisark Innovations Ltd trading as Verif-AI, registered in England & Wales (company no. 12552686), registered office: 101 New Cavendish Street, London, England, W1W 6XH. Email support@verif-ai.co.uk.