VoiceLab
Sign inTalk to sales

Vulnerability Disclosure Policy

Last updated: 2026-05-14

Promise

VoiceLab treats coordinated vulnerability disclosure as a partnership. Researchers acting in good faith under the scope and rules below will not be subject to legal action by VoiceLab under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or analogous New York unauthorized-computer-use statutes (NY Penal Law §§156.05–156.50).

How to report

  • Email security@voicelabnyc.com with a clear write-up, impact assessment, and reproduction steps.
  • Mark the report Sensitive in the subject line if the issue exposes personal data, payment data, or authentication tokens.
  • We acknowledge inside 3 business days, validate inside 10 business days, and aim to ship a fix or compensating control inside 90 days for high-severity findings.

In scope

  • voicelabnyc.com and all *.voicelabnyc.com subdomains
  • The VoiceLab REST API at /api/v1/*
  • The VoiceLab dashboard application
  • Mobile and webhook integrations published by VoiceLab

Out of scope

  • Vendor-managed surfaces we do not control (Vapi, Twilio, Stripe, Supabase Studio)
  • Automated scanner findings without a working proof of concept
  • Self-XSS, missing security headers without exploitation, clickjacking on pages with no sensitive action
  • Denial of service, brute force, social engineering, physical attacks
  • Vulnerabilities in third-party software unless they materially affect VoiceLab users

Rules

  • Stop testing as soon as you confirm a vulnerability — do not exfiltrate, modify, or destroy data.
  • Do not access or attempt to access data belonging to other tenants.
  • Do not run scans that materially degrade service for other tenants.
  • Do not publicly disclose the issue before we have shipped a fix or 90 days have elapsed (whichever comes first), unless we agree otherwise in writing.
  • Use a clearly identifiable user-agent so we can distinguish your testing from an attack.

Recognition

With your permission we will list reporters of validated findings on the Hall of Fame below. VoiceLab does not currently run a paid bug bounty program; recognition is non-monetary.

Hall of fame

No reports validated yet.

Preferred languages

English.

Machine-readable policy

See /.well-known/security.txt for the RFC 9116-compliant version of this contact metadata.

Questions about this policy: legal@voicelabnyc.com.

Vulnerability Disclosure Policy · VoiceLab