Responsible Disclosure / Vulnerability Disclosure Policy

Bug Bounty Program — Temporarily Closed

Effective October 23, 2025, our public bug bounty program is temporarily closed due to overwhelming demand and a large volume of automated/scanner reports. You may still submit security reports, but they will be treated as informational only and will not be eligible for monetary payout while the program is paused. If you believe you have a verified, urgent issue that demonstrates the ability to access or exfiltrate private user data, please email us at security@gowinston.ai.

Purpose

Winston AI’s priority is protecting user data. We are not running a promotional bug bounty program; this page explains the narrow, responsible process for reporting real, in-scope security issues.

Scope (in-scope)

  • app.gowinston.ai (production app)
  • dev.gowinston.ai (developer environment)
  • api.gowinston.ai (public API)

Out of scope

  • gowinston.ai (public/informational marketing site) — no rewards or testing allowed.
  • Any social-engineering, phishing, or attempts that target our support staff or third parties.

Do not report (informational / non-rewardable) — save us both time

To keep this program focused on high-impact issues, please do not submit reports for the items below unless they are demonstrably part of an exploit that leads to exfiltration of private user data. Reports that only show one of the items below will be treated as informational and will not be eligible for payment.

Do not report the following (examples):

  • Email / username enumeration (e.g., different error messages or responses that reveal whether an account exists).
  • Timing differences or minor timing side-channels unless they are chained to a PoC that exfiltrates PII.
  • Missing or misconfigured security headers (Content-Security-Policy, X-Frame-Options, HSTS) when they do not enable data exfiltration.
  • Minor UI issues, clickjacking that requires user interaction, or insecure CSP warnings that don’t lead to PII exposure.
  • Information that is already public or accessible via robots.txt, sitemap, or public APIs intentionally exposing non-sensitive data.
  • Out-of-date library/version numbers or software version disclosures alone (unless exploit demonstrates data theft).
  • Automated scanner output with no human-verified PoC or clear reproduction steps.
  • Reports of rate-limiting behavior or brute-force attempts unless they enable account takeover or data export.
  • Low-impact XSS confined to user-controlled preview fields that cannot reach other users or access stored private data.
  • Denial-of-service (DoS) attacks or volumetric abuse attempts — we do not reward DoS testing.
  • Social-engineering, phishing, or staff-targeting techniques. These are not allowed.
  • Vulnerabilities in third-party services or software that you do not have permission to test (report those to the vendor).
  • Credential stuffing / account access demonstrated solely by using leaked credentials from other breached sites. Reports that only show access gained by reused credentials (without a distinct vulnerability in our systems that enables that access) are informational and not eligible for payment.
  • Requests for general security advice, pentesting services, or non-actionable questions (use support@gowinston.ai instead).

If you think an informational issue above is part of a larger exploit: include a verifiable PoC showing how that issue is used to access or exfiltrate private user data (redacted if necessary). If you cannot safely provide a PoC, contact security@gowinston.ai for guidance before further testing.

What we pay for

We will consider discretionary rewards for verified vulnerabilities that demonstrate the ability to exfiltrate private user data at scale or enable server-side compromise. Private user data includes email addresses, account passwords or password-equivalent tokens, and uploaded user content.

Eligibility rules

  • Reward-eligible findings include vulnerabilities that allow:
    • Bulk export or automated harvesting of user records (for example, an unauthenticated or poorly protected API that can be scripted to extract many records);
    • Server-side remote code execution, full database export, or other server compromise that can be used to access stored user data for many users; or
    • Any vulnerability that demonstrably enables automated, repeatable compromise of large numbers of accounts or files.
  • Not reward-eligible (treated as informational) unless the reporter provides a verifiable PoC proving scalability/automation:
    • Single-account takeover scenarios that only affect one account and do not show a path to automate or scale;
    • Isolated logic/UI bugs, timing side-channels, or errors that require user interaction and cannot be automated to impact many users;
    • Scanner output or unactionable reports with no human-verified PoC.
    • Accounts accessed solely via credential stuffing or reused credentials from external breaches — unless the report demonstrates a separate server-side vulnerability (for example, an endpoint that leaks credentials or a bypass that enables mass-use of leaked credentials), these reports are informational and not eligible for payout.

Proof-of-Impact requirement

To be considered for payment, reports must include a verifiable PoC that safely demonstrates the impact (redacted screenshots or logs are acceptable). Do not exfiltrate real user data. If you cannot safely provide a PoC, contact security@gowinston.ai for guidance before further testing.

Rules of engagement / Safe testing

  • Do not exfiltrate real user data. Demonstrate proof-of-concept using safe, redacted evidence that proves the issue without exposing users.
  • Do not access, modify, or delete user content.
  • Stop testing when asked by our security team.
  • Do not perform denial-of-service, destructive testing, or social engineering.

How to submit

Email security@gowinston.ai with:

  • Short summary of the issue
  • Steps to reproduce (PoC) or a link to a recorded PoC (redacted)
  • Impact assessment (approximate number of affected users / data types)

Because we receive a very large volume of submissions (many duplicates and automated scanner reports), acknowledgements and triage may be delayed. We will acknowledge receipt and provide next steps as soon as possible. Important: if a qualifying report for the same vulnerability was submitted to us before your submission, subsequent duplicate reports will be treated as informational and will not be eligible for payment. To avoid delays, include a clear, verifiable PoC and do not resubmit the same issue.

Payments & verification

Validated reports are eligible for discretionary payment (up to $5,000 USD). Payment amounts are determined by impact, exploitability, evidence provided, and remediation complexity. Final reward amounts are at Winston AI’s discretion and require a verified PoC and successful validation by our security team. We reserve the right to refuse or reduce payment for duplicate reports, low-quality PoCs, or abusive behavior.

Legal & safe harbor

If you follow the Rules of Engagement above and act in good faith to help us secure our systems, we will not pursue legal action for your testing. We reserve discretion to refuse safe-harbor if testing violates our rules or applicable law.

Anti-harassment policy

Repeated unsolicited requests, extortion, or harassment (including demands for payment, threats, or coordinated public disclosure to pressure payment) will be ignored and may be reported. This program exists to responsibly handle legitimate security reports — it is not a revenue or extortion channel.

Contact

security@gowinston.ai