Vulnerability Disclosure Policy

Scope

This policy applies to the following assets owned and operated by Amy:

• amyea.com— the Amy web application and marketing site
• Amy APIs— all backend services and API endpoints serving the Amy application
• Amy mobile app— the iOS application distributed via Apple TestFlight or the App Store

How to Report a Vulnerability

Please send your report to one of the following:

• security@amyea.com (preferred)
• support@amyea.com (alternate)

Use a descriptive subject line such as “Security Vulnerability Report — [brief description]”.

If you believe the issue is highly sensitive, you may request our PGP key for encrypted communication.

What to Include in Your Report

To help us assess and respond efficiently, please include as much of the following as possible:

• A description of the vulnerability and its potential impact
• The affected asset (web app, API, mobile app) and the specific URL, endpoint, or screen
• Step-by-step instructions to reproduce the issue
• Any proof-of-concept code, screenshots, or logs
• Your assessment of the severity (critical, high, medium, low)
• Your name or handle (for recognition, if desired)
• Your preferred contact method for follow-up

Safe Harbor

We support good-faith security research. If you follow this policy, we commit to:

• Not pursuing legal action against you for your research activities
• Not filing complaints with law enforcement regarding your research
• Working with you to understand and resolve the issue promptly

To qualify for safe harbor, you must:

• Act in good faith and avoid actions that harm our users, disrupt our services, or destroy data
• Not access, modify, or delete data belonging to other users
• Stop testing and report the issue promptly once you have confirmed a vulnerability
• Not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (we ask for a minimum of 90 days from the date of your report)
• Comply with all applicable laws

Response Timeline

We commit to the following response targets:

If we need more time, we will keep you informed of our progress.

Out of Scope

The following are not covered by this policy and should not be tested:

• Social engineering attacks against Amy employees or users (phishing, vishing, pretexting)
• Denial of service (DoS/DDoS) attacks or any testing that degrades service availability
• Physical security testing of offices, data centers, or infrastructure
• Third-party services we rely on but do not control (Google, Supabase, Clerk, AWS, Vercel, Apple, Make.com)
• Spam or bulk messaging through Amy features
• Automated scanning that generates excessive traffic or load
• Issues already known or previously reported and under remediation
• Vulnerabilities in outdated browsers or unsupported platforms
• Missing security headers or other low-severity configuration issues that do not present a concrete risk

If you are unsure whether your research falls within scope, contact us at security@amyea.com before testing.

Recognition

We appreciate the efforts of security researchers who help keep Amy safe. With your permission, we will acknowledge your contribution on our security page. We maintain an optional hall of fame for researchers who report valid vulnerabilities.

Bounty Program

Amy does not currently operate a paid bug bounty program. We are a small team and are unable to offer financial rewards at this time. We do offer public recognition and our sincere gratitude for valid reports.

Changes to This Policy

We may update this policy from time to time. The current version will always be available at amyea.com/security.

Contact

Email: security@amyea.com