Responsible Disclosure Policy

Last updated: March 4, 2026

At Celavii, we take the security of our platform and our users' data very seriously. We encourage security researchers and members of the community who discover potential security vulnerabilities in any Celavii service to disclose them to us in a responsible manner. This Responsible Disclosure Policy outlines steps for reporting vulnerabilities, our commitments to you, and what you can expect from us.

Our Commitment to You

For all individuals who report suspected vulnerabilities in alignment with this Responsible Disclosure Policy, Celavii promises to:

  • Maintain confidentiality regarding your identity and the details of your report;
  • Acknowledge receipt of your vulnerability report within 3 business days;
  • Assess the validity of the submission and evaluate for severity and impact;
  • Provide an initial assessment of severity within 10 business days of acknowledgment;
  • Notify you when the vulnerability has been resolved;
  • Publicly acknowledge your responsible disclosure, if you wish and upon mutual agreement; and
  • Not pursue legal action against individuals who conduct security research in good faith and in compliance with this Policy.

Scope

The following assets are in scope for security testing under this Policy:

  • celavii.com — Primary website and application
  • app.celavii.com — Platform application (if applicable)
  • api.celavii.com — API endpoints (if applicable)
  • Celavii mobile applications (if applicable)

Out of Scope

The following are not in scope and must not be tested:

  • Third-party services and platforms that integrate with Celavii, including but not limited to Stripe, Supabase, Vercel, Apify, Instagram, and TikTok;
  • Third-party websites, applications, or services linked from the Celavii platform;
  • Celavii's social media accounts or pages on third-party platforms; and
  • Physical infrastructure, offices, data centers, or facilities.

Guidelines and Rules

Permitted Activities

You may only conduct security testing under the following conditions:

  • You must use an account for which you are the Account Owner or have been expressly authorized by the Account Owner to conduct such testing;
  • All testing must be conducted in compliance with this Responsible Disclosure Policy, Celavii's Terms of Service, and all applicable laws and regulations;
  • Testing must be limited to identifying and reporting vulnerabilities and must not extend to exploiting them beyond what is minimally necessary to demonstrate the vulnerability; and
  • You must stop testing and report immediately if you encounter any user data that does not belong to you.

Prohibited Activities

Celavii strictly prohibits the following types of research and testing:

  • Intentionally accessing, or attempting to access, data or accounts that do not belong to you;
  • Executing, or attempting to execute, a Denial of Service (DoS/DDoS) attack, resource exhaustion, or stress testing against Celavii systems or networks;
  • Sending, or attempting to send, unsolicited or unauthorized email, spam, or other forms of unsolicited messages through the Services;
  • Conducting research through social engineering, phishing, vishing, smishing, pretexting, or other deceptive means targeting Celavii employees, contractors, customers, or users;
  • Testing third-party websites, applications, or services that integrate with or are linked from Celavii;
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware, viruses, trojans, ransomware, or similar harmful software;
  • Modifying, deleting, or exfiltrating data belonging to other users or customers;
  • Conducting any form of security testing or auditing of physical locations, including Celavii offices or data center facilities;
  • Automated scanning or testing that generates excessive traffic or could degrade the Services for other users;
  • Research conducted by minors, individuals on sanctions lists, or individuals in countries on sanctions lists; and
  • Any activity that violates applicable local, state, national, or international law.

Safe Harbor

Celavii reserves all of its legal rights in the event of noncompliance with this Responsible Disclosure Policy. However, Celavii does not intend to pursue legal action against individuals who:

  • Conduct security research and disclose vulnerabilities to us in good faith and in accordance with this Policy;
  • Avoid actions that could cause harm to Celavii, our customers, or our users;
  • Do not access, modify, or delete data belonging to others;
  • Comply with all applicable laws and regulations; and
  • Follow the submission and confidentiality requirements described in this Policy.

If legal action is initiated by a third party against you for activities conducted in compliance with this Policy, Celavii will take reasonable steps to make it known that your actions were conducted in accordance with this Policy.

Submitting Your Vulnerability Report

Please submit all suspected vulnerabilities by email to security@celavii.com.

What to Include

In reporting any suspected vulnerabilities, please include the following information to help us reproduce and assess the issue:

  • A clear description of the vulnerability, including the type of issue (e.g., XSS, SQL injection, authentication bypass, IDOR, etc.);
  • Step-by-step instructions to reproduce the vulnerability;
  • The URL(s), endpoint(s), or component(s) affected;
  • Any tools, scripts, or payloads used in your testing;
  • The potential impact and severity of the vulnerability;
  • Screenshots, videos, or proof-of-concept code, if available; and
  • Your contact information for follow-up.

Confidentiality Requirements

To protect the privacy and security of our users:

  • Do not publicly disclose details about any suspected vulnerabilities that you may have identified without express written consent from Celavii;
  • Do not share vulnerability details with any third party without Celavii's prior written approval;
  • Immediately after submitting your report, delete or destroy any local or cached copies of data you may have accessed or received during your testing; and
  • Allow Celavii reasonable time to investigate and remediate the vulnerability before any public disclosure.

Severity Classification

Celavii classifies reported vulnerabilities using the following severity framework:

SeverityDescriptionExamples
CriticalImmediate risk of significant data breach, unauthorized access to customer data, or complete system compromiseRemote code execution, SQL injection with data access, authentication bypass to admin, mass data exfiltration
HighSignificant risk that could lead to unauthorized access, data exposure, or material service disruptionPrivilege escalation, stored XSS in authenticated context, IDOR exposing customer data, API key leakage
MediumModerate risk that requires specific conditions or limited exploitationReflected XSS, CSRF on non-critical functions, information disclosure of non-sensitive data, session fixation
LowMinimal risk with limited impactMissing security headers, verbose error messages, minor information disclosure, clickjacking on non-sensitive pages
InformationalNo direct security impact but may indicate areas for improvementBest practice recommendations, configuration suggestions

Rewards and Recognition

Celavii may, at its sole discretion, offer rewards or recognition to individuals who submit valid, original vulnerability reports in compliance with this Policy. The availability and amount of any reward depends on:

  • The severity and potential impact of the vulnerability;
  • The quality and completeness of the report;
  • Whether you are the first person to report the specific vulnerability;
  • Whether the vulnerability is confirmed and validated by Celavii's security team; and
  • Your full compliance with the terms, rules, and restrictions of this Policy.

Celavii makes no guarantee, express or implied, that any rewards or compensation will be offered for any report. All reward decisions are at the sole discretion of Celavii.

Recognition

With your permission, Celavii may publicly acknowledge your contribution to our security on our website or security page. If you prefer to remain anonymous, we will respect that preference.

Response Timeline

StageTarget Timeline
AcknowledgmentWithin 3 business days of receipt
Initial AssessmentWithin 10 business days of acknowledgment
Status UpdateAt least every 15 business days during investigation
ResolutionVaries based on severity and complexity
Notification of ResolutionWithin 5 business days of fix deployment

These timelines represent targets and may vary depending on the complexity of the vulnerability and the remediation required. Celavii will make reasonable efforts to keep you informed throughout the process.

Contact

For all security vulnerability reports and inquiries related to this Policy:

Email: security@celavii.com

For general legal inquiries, please contact legal@celavii.com.

For privacy-related inquiries, please contact privacy@celavii.com.

Changes to This Policy

Celavii may update this Responsible Disclosure Policy from time to time. The "Last Modified" date at the top of this Policy will be updated to reflect any changes. We encourage you to review this Policy periodically.