Security
Vulnerability Disclosure Policy
Effective June 13, 2026
We take the security of Saidly and our customers' data seriously, and we welcome reports from security researchers acting in good faith. This policy explains how to report a vulnerability, what we ask of you while testing, and what you can expect from us.
The short version
- Email security reports to support@saidly.ai with enough detail for us to reproduce the issue.
- We do not run a bug bounty and do not pay for reports. No money, swag, or other reward is offered.
- Test only against your own account. Do not access other people's data or disrupt the service.
- Good-faith research that follows this policy is authorized, and we will not pursue legal action over it.
1. Scope
This policy covers the Saidly web application and API at saidly.ai and its subdomains, operated by Woodfire Digital, LLC. If you are not sure whether a target or a test is in scope, ask us first at support@saidly.ai before you begin.
2. How to report
Send your report by email to support@saidly.ai. Our canonical security contact is also published at /.well-known/security.txt. Please include enough detail for us to reproduce and assess the issue, ideally:
- the affected URL, endpoint, or feature;
- a clear description of the vulnerability and its security impact;
- step-by-step instructions to reproduce it; and
- any supporting proof of concept, such as requests, scripts, or screenshots.
One issue per report is easiest for us to track, and reports in English are preferred.
3. No bug bounty or rewards
Saidly does not operate a bug bounty program. We do not offer money, payment, swag, gift cards, account credit, or any other compensation for vulnerability reports, and submitting a report does not create any expectation or obligation of payment. We report this clearly so there is no misunderstanding. We are genuinely grateful for responsible disclosure, and, if you would like and once an issue is resolved, we are happy to publicly credit you for the find.
4. Guidelines for testing
So that your research stays within this policy, we ask that you:
- test only against accounts you own or have explicit permission to use;
- make a good-faith effort to avoid privacy violations, data destruction, and any interruption or degradation of the service;
- never access, modify, or delete data that does not belong to you, and stop as soon as you have confirmed a vulnerability;
- avoid automated scanning or traffic that could degrade the service for others, and do not perform denial-of-service or volumetric testing;
- do not use social engineering, phishing, or physical attacks against our staff, customers, or infrastructure; and
- give us a reasonable time to investigate and remediate before disclosing the issue publicly, and never disclose customer data.
5. Out of scope
The following are generally not in scope and may be closed without action:
- findings against third-party services we rely on rather than Saidly itself, for example Cloudflare, Brevo, Paddle, or the AI model providers; please report those to the relevant provider;
- denial-of-service, volumetric, rate-limit, or resource-exhaustion testing;
- output from automated tools without a demonstrated, realistic security impact;
- reports about email deliverability, SPF, DKIM, or DMARC configuration, missing security headers, or other best-practice suggestions with no concrete exploit;
- spam, social engineering, and physical security; and
- the content of AI-model responses themselves. Saidly relays statements produced by third-party models, and an unfavorable or inaccurate model response is not a security vulnerability.
6. Safe harbor
If you make a good-faith effort to follow this policy, we will consider your security research authorized, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. If a third party brings legal action against you for activity that complied with this policy, we will make it known that your actions were authorized. This safe harbor does not extend to activity that intentionally harms our customers, accesses or removes their data, or breaks the law.
7. What to expect from us
We will acknowledge your report, investigate it, and keep you informed of our progress where we reasonably can. We aim to acknowledge valid reports promptly and to prioritize fixes by severity and impact. Because we do not operate a bug bounty, we cannot commit to a fixed remediation timeline, but we take valid reports seriously and appreciate the help.
8. Changes to this policy
We may update this policy from time to time. When we make a material change we will update the effective date above. The version in effect at the time of your report applies to that report.
9. Contact
Send security reports and any questions about this policy to support@saidly.ai, or by mail to Woodfire Digital, LLC, PO Box 20, Lithopolis, OH 43136.