Skip to main content
If you’ve discovered a security vulnerability in ABV, we want to hear from you. Our responsible disclosure program provides a clear process for reporting security issues while protecting our customers.

What We Offer

When you report a vulnerability through our responsible disclosure program:
  • Fast response: Acknowledgment within 2 business days
  • Regular updates: We’ll keep you informed of our progress
  • Coordinated disclosure: Work with you on public disclosure timing
  • Public credit: Recognition in our security hall of fame (if desired)
Note: We currently do not offer monetary bug bounty rewards, but we deeply appreciate your contributions and will publicly recognize your work (with your permission).

How to Report a Vulnerability

Email your findings to security@abv.dev with the subject line: [Security] Brief description of vulnerability Include in your report:
  • Clear description of the vulnerability
  • Impact and what an attacker could accomplish
  • Affected components (web app, API, SDK, etc.)
  • Detailed steps to reproduce
  • Proof of concept (code, screenshots, or videos) if available
Do not report vulnerabilities through public channels (GitHub issues, social media, forums, or support tickets). These don’t guarantee confidential handling.
What to expect:
  • Acknowledgment within 2 business days
  • Regular updates on our investigation and remediation progress
  • Coordination on public disclosure timing after the fix is deployed
  • Public credit in our security hall of fame (if desired)
Remediation timelines:
  • Critical: 24-48 hours
  • High: 1 week
  • Medium: 2-4 weeks
  • Low: Next release cycle

Scope and Guidelines

In Scope

  • Web Applications: ABV Dashboard (https://app.abv.dev), authentication flows, user interfaces
  • APIs: Public REST APIs at app.abv.dev, SDK communication, LLM Gateway
  • Infrastructure: *.abv.dev subdomains, SSL/TLS configuration, DNS security
Examples of in-scope vulnerabilities: XSS, CSRF, authentication/authorization bypasses, injection vulnerabilities, SSRF, business logic flaws

Out of Scope

  • Physical security, social engineering, phishing
  • Third-party services (AWS, ClickHouse, CDN providers, LLM providers)
  • DDoS or volumetric attacks
  • Already-known issues or duplicates
DDoS testing will result in your IP being blocked. If you believe you’ve found a denial of service vulnerability, describe it theoretically without executing the attack.

Legal Safe Harbor

We commit to not pursuing legal action against security researchers who:
  • Conduct research in accordance with these guidelines
  • Report vulnerabilities promptly and responsibly
  • Make a good faith effort to avoid harm
  • Don’t violate laws unrelated to security research
Safe harbor protection does not apply if you test systems outside our defined scope, access customer data beyond demonstrating a vulnerability, publicly disclose before we’ve fixed it, or use vulnerabilities for personal gain. If you’re unsure whether your testing is within bounds, ask us first at security@abv.dev.

Related Topics

Vulnerability Management

Learn how we manage and remediate vulnerabilities

Penetration Testing

See our annual third-party security assessments

Incident Response

Understand our incident response procedures

Security Overview

Return to the security overview