Security & Vulnerability Disclosure Program XBoost Inc. (“we,” “us,” or “our”) takes the security of AmazonGPT and its users seriously. We partner with the security community to identify and remediate vulnerabilities responsibly. This disclosure policy explains how to report issues and what to expect. 1. Scope This program covers vulnerabilities in: • Our public landing page • Our Slack app backend Other systems—third-party components, integrations, or infrastructure—may be out of scope. Please contact us to confirm. 2. How to Report If you believe you’ve discovered a security issue, please email contact@xboost.so with: 1. Description: What is the issue? 2. Reproduction steps: How can we trigger it? 3. Impact: What data or functionality is at risk? 4. Mitigation suggestion: Any fixes or work-arounds you recommend. 5. Your details: Name or handle, and a preferred acknowledgment link (e.g. GitHub profile). 6. Supporting evidence: Screenshots, logs, or video demonstrations. 3. Responsible Disclosure Guidelines When reporting, please: • Avoid accessing or modifying data you do not own. • Delay public disclosure until we have had a chance to address the issue. • Provide us a reasonable period (typically 30 days) to investigate and fix before any public announcement. 4. Legal Safe Harbor By submitting a good-faith report, you agree not to violate any applicable laws or regulations. We ask that you: • Refrain from actions that degrade service, destroy data, or violate user privacy. • Cooperate with us to resolve the vulnerability. 5. Acknowledgment & Rewards While we do not offer monetary bounties at this time, we will: • Publicly acknowledge your contribution in our Security Hall of Fame (unless you wish to remain anonymous). • Offer a letter of recognition upon request. 6. Response Timeline • Within 48 hours: We will confirm receipt of your report. • Ongoing: We will update you on investigation progress and remediation steps until the issue is resolved. 7. Out-of-Scope Issues The following are not eligible for this program: • Denial-of-Service (DoS) attacks • Social engineering of XBoost staff or contractors • Physical attacks on facilities or hardware • Third-party platform vulnerabilities (unless directly impacting our code) • Non-reproducible issues on unsupported browsers/devices 8. Contact For questions or to report a vulnerability, please contact: contact@xboost.so Thank you for helping us keep AmazonGPT secure!