Vulnerability Disclosure Policy for ListenUp Dictation

Last Updated: July 23, 2025

ThoFlow AI is committed to ensuring the security of our services and protecting our users' data. We value the crucial role that independent security researchers play in this ecosystem. This Vulnerability Disclosure Policy (VDP) is intended to provide clear guidelines for conducting vulnerability research and to define how to report your findings to us.

We encourage you to contact us to report potential vulnerabilities in our systems. Your efforts and collaboration are highly appreciated and will help us keep our community safe.

Our Commitment & Safe Harbor

When working with us according to this policy, you can expect us to:

  • Acknowledge receipt of your report promptly, typically within 3 business days.
  • Work with you to understand and validate your findings.
  • Provide an estimated timeframe for addressing the vulnerability and strive to keep you informed of our progress.
  • Notify you when the vulnerability is remediated.
  • Publicly recognize your contribution, with your consent.

Safe Harbor: ThoFlow AI will not initiate legal action against you for security research activities that are conducted in good faith and adhere to this policy. We consider research conducted under this policy to be authorized in accordance of anti-hacking laws. Should legal action be initiated by a third party against you for activities that were conducted in compliance with this policy, we will take steps to make it known that your actions were in compliance with this policy.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in one of our in-scope services, please submit a report to us via email at:

[email protected]

Please include the following information in your report:

  • A clear description of the vulnerability, including the type of vulnerability (e.g., Cross-Site Scripting, SQL Injection, Remote Code Execution).
  • The system or service where the vulnerability was observed.
  • Detailed steps to reproduce the vulnerability. This should be a benign, non-destructive proof of concept. Screenshots or videos are helpful.
  • Any potential impact of the vulnerability.
  • Your name or handle, if you wish to be publicly credited for your discovery.

Guidelines for Responsible Research

To remain in compliance with this policy, you must:

  • Notify us as soon as possible after discovering a potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use an exploit to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before any public disclosure. We ask that you refrain from sharing information about the vulnerability for at least 90 days after our initial acknowledgement of your report.
  • Securely delete any data retrieved during your research as soon as it is no longer required or within 30 days of the vulnerability being resolved, whichever comes first.

Scope

This policy applies to the ListenUp Dictation application and its associated public-facing services and websites.

Out-of-Scope Systems & Activities:

While we value all security research, the following are not covered by this policy:

  • Third-party services or sub-processors. Please report vulnerabilities in third-party services directly to the respective service provider.
  • Physical testing (e.g., office access, tailgating).
  • Social engineering (e.g., phishing, vishing) of our employees, contractors, or users.
  • High-intensity, invasive, or destructive scanning tools that could disrupt our services.
  • Denial of Service (DoS or DDoS) attacks.
  • Reports detailing non-exploitable vulnerabilities or those that are in line with accepted "best practice" risks (e.g., missing security headers without a demonstrated impact).
  • Reports regarding TLS configuration weaknesses (e.g., "weak" cipher suites).

If you have questions about whether a particular system or activity is in scope, please contact us at [email protected] before beginning your research.

Thank you for helping to keep ListenUp Dictation and our users safe.