VIVE Pro

Security & Vulnerability Disclosure

Last updated: May 9, 2026

VIVE AI, Inc. takes the security of our customers and their data seriously. We welcome reports from security researchers and the broader community. This page describes how to report a vulnerability to us, what is in scope, what we ask you not to do, and how we will respond.

How to report a vulnerability

Email security@vivepros.com. English is preferred. Please include:

  • A clear description of the issue and its impact.
  • Step-by-step reproduction instructions (URL, request, payload, screenshot, or proof-of-concept code).
  • The affected product, environment (production / staging), and timestamp.
  • Your name or handle if you would like to be credited.

We will acknowledge your report within 5 business days and aim to provide a remediation status update at least every 14 days until the issue is resolved or otherwise dispositioned. For machine-readable contact details, see /.well-known/security.txt (RFC 9116).

Scope

The following systems and assets are in scope for security research:

  • All *.vivepros.com web properties (marketing site, app, and locale subpaths).
  • The VIVE backend API service, including any api.vivepros.com or equivalent host published in our documentation.
  • VIVE-published mobile applications, browser extensions, and CLI tooling, if any.
  • VIVE-owned public source code repositories.

Out of scope

The following are not in scope and should not be tested. Reports limited to these are unlikely to qualify:

  • Denial-of-service attacks, volumetric load testing, distributed scanning, or any activity intended to degrade availability.
  • Social engineering, phishing, or pretexting against VIVE employees, contractors, vendors, or customers.
  • Physical attacks against our offices, hardware, or staff.
  • Findings on third-party services we rely on (e.g., Stripe, Supabase, Vercel, Sentry, OpenAI, Meta, Google) — please report those to the third party directly. See our Subprocessors page for the list.
  • Reports based solely on automated scanner output without a demonstrated security impact.
  • Self-XSS, attacks requiring an already-compromised end-user device, missing best-practice headers without exploit, missing rate limits without demonstrated abuse, or use of outdated software without a working exploit.
  • Generated content from our AI products that you find objectionable but that does not constitute a security vulnerability — please use Report Content instead.

Safe harbor

We consider security research conducted under this policy to be authorized, constructive, and protected. If you make a good-faith effort to comply with this policy during your research:

  • We will not pursue or support any legal action against you for accidental, good-faith violations of this policy, including under the U.S. Computer Fraud and Abuse Act, the Digital Millennium Copyright Act anti-circumvention provisions, or equivalent state, federal, or international laws.
  • We will work with you to understand and resolve the issue quickly, and we will recognize your contribution publicly if you would like.
  • If a third party (such as a law enforcement agency or a service provider) initiates legal action against you for activities conducted under this policy, we will take reasonable steps to make it known that your actions were authorized.

To stay within this safe harbor, please:

  • Only access, copy, modify, or use customer data to the minimum extent necessary to demonstrate the issue, and stop and report as soon as you have a working proof-of-concept.
  • Do not exfiltrate, retain, or share customer data after submitting your report. Securely delete any copies once we confirm the report.
  • Give us a reasonable time to investigate and remediate before publicly disclosing the issue. We aim to coordinate disclosure within 90 days of the initial report unless we agree to a different timeline.
  • Do not violate any other applicable law.

If you are unsure whether a particular activity is permitted under this policy, ask us first at security@vivepros.com.

What we will do

  • Acknowledge receipt of your report within 5 business days.
  • Triage and validate the report, and follow up with you with status updates at least every 14 days while the issue is open.
  • Notify you when the vulnerability is fixed or otherwise dispositioned.
  • On request, credit you (by name or handle) in our public release notes or a security acknowledgements list.

Bug bounty

We do not currently operate a paid bug bounty program. We may offer rewards (such as swag or account credit) at our discretion for impactful, novel reports.

Other contacts

For non-security legal or regulator inquiries, contact legal@vivepros.com. For privacy / data-subject requests, see our Privacy Request page. For DMCA copyright notices, see Section 13 of our Terms of Service.

<- Back to Home

We use cookies

We use essential cookies to keep VIVE secure and functional. You can choose whether to allow analytics and marketing cookies. Read our Cookie Policy