Legal

Responsible Disclosure Policy

Last updated: June 5, 2026

1. Introduction

The security of Hello Alice and the safety of our users' data are foundational to our mission of helping small business owners run and grow their businesses. We appreciate the work of security researchers acting in good faith to identify and responsibly report vulnerabilities, and we are committed to working with researchers who do so.

"Hello Alice," "we," "us," and "our" refer to Circular Board, Inc., a Delaware corporation doing business as Hello Alice.

This policy is intended for security researchers. If you are a Hello Alice user with a general concern about your account, contact us at compliance@helloalice.com instead.

2. Scope of systems

This policy covers internet-facing systems, applications, and websites that Hello Alice owns, operates, or controls directly, including:

This policy does not cover systems, services, or applications owned, operated, or controlled by third parties, including our service providers and subprocessors (such as AWS, Vercel, Anthropic, Auth0, Stripe, Segment, and similar). Report vulnerabilities in those services directly to the relevant provider.

3. Scope of vulnerabilities

In scope

We welcome reports of technical vulnerabilities that could affect the confidentiality, integrity, or availability of Hello Alice or our users' data, including:

  • Authentication and session management issues
  • Authorization and access-control issues, including AI advisor authorization scope
  • Injection vulnerabilities (SQL, command, server-side request forgery, etc.)
  • Cross-site scripting, cross-site request forgery, and related browser-side issues
  • Sensitive information disclosure
  • Server-side vulnerabilities in our infrastructure
  • Vulnerabilities in the AI advisor that allow extraction of other users' data or bypass of intended access controls
  • Logic flaws with security or privacy implications

Out of scope

The following are out of scope for this policy and are not eligible for safe-harbor protections under it:

  • Third-party services we use (see Section 2)
  • Third-party content hosted on or surfaced through Hello Alice
  • Denial-of-service attacks, including volumetric, application-layer, and resource-exhaustion attacks
  • Social engineering of Hello Alice employees, contractors, vendors, or users
  • Physical security testing of Hello Alice offices, equipment, or personnel
  • Spam, phishing, or fraudulent content posted by users (report to abuse@helloalice.com)
  • Best-practice findings without a demonstrable security impact (such as missing security headers, weak SSL/TLS configurations, or missing HttpOnly or Secure flags) absent a working proof of concept
  • Brute-force attacks against any account that is not yours
  • Vulnerabilities affecting only outdated browsers, end-of-life operating systems, or unsupported devices
  • Self-XSS and other attacks that require the victim to take unusual actions against themselves
  • Widely publicized zero-day vulnerabilities in third-party software for which a patch has been available for less than 30 days
  • Issues already known to us or already reported by another researcher

AI safety and model behavior reports are also out of scope

Issues related to the AI advisor's outputs are not security vulnerabilities and are not in scope for this policy. This includes:

  • AI advisor "jailbreaks" or prompt-injection attempts intended to elicit responses outside the advisor's intended behavior
  • Harmful, inaccurate, biased, or misleading content generated by the AI advisor
  • Concerns about the AI advisor's recommendations or advice
  • General red-teaming or adversarial testing of the AI advisor

If you have a concern about the AI advisor's behavior or outputs, please report it to compliance@helloalice.com rather than through this policy. We take such reports seriously, but they are handled through a different process and the safe-harbor protections in Section 5 do not apply.

4. How to submit a report

Send your report to security@helloalice.com.

A good report includes:

  • A clear summary of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue, including the affected URL, endpoint, or feature
  • Any supporting screenshots, logs, or proof-of-concept code that helps us understand the issue
  • Your name and a way to contact you for follow-up (you may submit anonymously, but we cannot offer recognition for anonymous reports)

Please submit one vulnerability per report.

What we ask of you

When you conduct security research within the scope of this policy, you agree to:

  • Test only against accounts you own or against test accounts you have created for the purpose of research.
  • Stop testing as soon as you have confirmed a vulnerability and report it to us. Do not exploit further than is reasonably necessary to demonstrate the issue.
  • Avoid accessing, modifying, deleting, or exfiltrating data belonging to any other Hello Alice user. If you inadvertently access another user's data, stop immediately, do not retain it, and tell us in your report.
  • Avoid disrupting, degrading, or interfering with the operation of Hello Alice or the experience of other users. Do not conduct denial-of-service testing, high-rate automated scanning, or anything that could affect availability.
  • Avoid social engineering of Hello Alice employees, contractors, vendors, or users.
  • Coordinate with us on the timing of any public disclosure. We support researchers' right to publicly disclose vulnerabilities they discover and we will work with you in good faith to coordinate timing in a way that does not put our users at risk.
  • Not require payment, compensation, or any other consideration as a condition of disclosure.
  • Comply with all applicable laws, including U.S. export controls and sanctions laws. You must not be listed on the U.S. Treasury Department's Specially Designated Nationals and Blocked Persons List or any other sanctions list, and you must not be located in any country subject to comprehensive U.S. sanctions.

If you are unsure whether something is in scope or whether your planned approach is consistent with this policy, contact us at security@helloalice.com before you proceed.

5. Safe harbor

If you make a good-faith effort to comply with this policy and the guidelines in Section 4, Hello Alice considers your security research authorized. We will not pursue or support legal action against you under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, similar federal or state laws, or our Terms of Service for the research itself.

Safe harbor under this policy is conditioned on your good-faith compliance with Section 4 and is subject to Hello Alice's own compliance with applicable laws. Disclosures to us must be unconditional and may not involve extortion or threats. Safe harbor does not extend to conduct outside the scope of this policy or to activities that violate applicable law beyond the specific authorizations described above.

6. What you can expect from us

When you submit a report through this policy, we will:

  • Acknowledge receipt within three (3) business days.
  • Provide an initial assessment within ten (10) business days, including whether the report describes a vulnerability we agree is in scope and whether it duplicates an existing report.
  • Keep you updated as we investigate and remediate.
  • Notify you when the issue is fixed.
  • Protect your identity. We will not disclose your name or contact information without your consent, unless required by valid legal process.
  • Acknowledge your contribution in our security acknowledgments with your permission and at your preferred level of attribution (full name, handle, or anonymous reference).

We do not currently offer monetary rewards (a "bug bounty") for vulnerability reports. We may add a bounty program in the future as our security program matures.

7. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, scope, or applicable law. When we make changes, we will post the updated policy with a new "Last Updated" date.

Vulnerabilities reported in good faith under a prior version of this policy will be evaluated under the version that was in effect when the report was made.

8. Change log

This appendix logs notable updates to this Responsible Disclosure Policy. The body of the policy describes Hello Alice's current practices, not historical ones.

Version effective June 5, 2026

Initial publication of Hello Alice's Responsible Disclosure Policy. Establishes the framework for good-faith security research, including the scope of authorized testing, rules of engagement, safe-harbor commitments, and our response practices.

Contact

Security research and vulnerability reports

security@helloalice.com

General security concerns about your account

compliance@helloalice.com

AI advisor behavior, content concerns, or jailbreak attempts

compliance@helloalice.com (see Section 3)

Fraud, abuse, or phishing

abuse@helloalice.com