Security at Beaverly

Vulnerability Disclosure Policy

Beaverly welcomes good-faith security research. This policy explains how to report a suspected vulnerability in our services, what you can expect from us, and the safe-harbor terms that protect researchers who follow it.

Effective

Last reviewed

Owner

Trust Lead, Beaverly AI Inc.

Report to

security@beaverly.ai

Beaverly AI Inc. (“Beaverly”) builds an AI system that captures software engineering activity to support SR&ED claims, and the security of the data our customers entrust to us is foundational to that work. If you believe you have found a security vulnerability in a Beaverly service, we want to hear from you. This policy works alongside our Personal Data Protection Policy and our Terms of Service.

01

What is in scope

This policy covers Beaverly’s production services and infrastructure:

  • beaverly.ai — public website
  • admin.beaverly.ai — admin portal
  • workspace.beaverly.ai — workspace portal
  • Supporting APIs operated by Beaverly

The following activities and targets are out of scope:

  • Denial-of-service (DoS / DDoS) testing or volumetric attacks
  • Social engineering or phishing of Beaverly staff or customers
  • Physical attacks against Beaverly offices, personnel, or infrastructure
  • Spam, content injection without security impact, or automated scanner noise
  • Third-party services not operated by Beaverly — report issues with those directly to the vendor
02

How to report a vulnerability

Email security@beaverly.ai with a description of the issue, steps to reproduce, the affected URL or component, and any proof-of-concept material.

Please do not include real customer data in your report. If reproducing an issue requires customer data, describe the path instead of attaching the data itself.
03

What we ask of you (safe harbor)

Beaverly will not pursue legal action against researchers who comply with this policy. In return, we ask that you:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption;
  • Do not access, modify, or exfiltrate data that is not your own — if you encounter another user's data, stop and report immediately;
  • Do not publicly disclose the issue until we have confirmed a fix or 90 days have passed, whichever comes first.
04

What you can expect from us

We acknowledge reports within 3 business days and provide a status update within 10 business days. Confirmed vulnerabilities are triaged and remediated according to Beaverly’s vulnerability management SLAs, and we keep you informed as we remediate. With your permission, we are happy to credit you once the issue is resolved.

05

Rewards

Beaverly does not currently operate a paid bug bounty program, and this policy does not offer monetary rewards. This is a responsible disclosure policy: we deeply appreciate reports, acknowledge researchers who help keep Beaverly secure, and will reassess a paid program as the company grows.

06

Changes to this policy

We may update this policy from time to time. The latest version is always published on this page, and the “Last reviewed” date above reflects the most recent review. Questions about this policy can be sent to security@beaverly.ai.

Where do you want to start?

Toronto, ON