Skip to main content

Vulnerability Disclosure

TalkWriter welcomes security researchers who find and responsibly disclose vulnerabilities. We operate a bug bounty program with cash rewards for qualifying discoveries.

Bug Bounty Reward Tiers

SeverityDescriptionReward
CriticalRemote code execution, authentication bypass, data breach$1,000 - $5,000
HighPrivilege escalation, significant data exposure, SSRF$500 - $1,000
MediumStored XSS, CSRF, information disclosure$200 - $500
LowReflected XSS, minor information leaks, best practice issues$50 - $200

Reward amounts are determined by severity, impact, and quality of the report.

In Scope

The following assets are in scope for security testing:

  • talkwriter.ai — Marketing website
  • app.talkwriter.ai — Web application
  • api.talkwriter.ai — Backend API
  • admin.talkwriter.ai — Enterprise Admin Portal
  • ✅ TalkWriter macOS desktop application
  • auth.talkwriter.ai — Authentication service

Out of Scope

The following are not eligible for bounty rewards:

  • ❌ Social engineering attacks against TalkWriter employees
  • ❌ Physical attacks against TalkWriter offices or infrastructure
  • ❌ Denial-of-service (DoS/DDoS) attacks
  • ❌ Spam or email flooding
  • ❌ Vulnerabilities in third-party services we do not control
  • ❌ Reports from automated scanners without a demonstrated impact
  • ❌ Missing security headers without a proven exploit

How to Report

  1. Email your findings to security@talkwriter.ai
  2. Include:
    • A clear description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Screenshots or proof-of-concept (if available)
  3. We acknowledge your report within 2 business days
  4. We provide a fix timeline within 5 business days
  5. You receive your reward after the fix is verified

Safe Harbor

TalkWriter commits to the following for good-faith security researchers:

  • We will not take legal action against researchers who follow this policy
  • We will not suspend your TalkWriter account for authorized testing
  • We will credit you publicly (if you wish) after the vulnerability is fixed
  • We ask that you do not access other users' data or disrupt the service

FAQ

Can I test with my own account? Yes. Create a free or Pro account and test against your own data only.

How long until a fix is deployed? Critical vulnerabilities are patched within 24 hours. High severity within 7 days. Medium and low within 30 days.

Do you have a PGP key for encrypted reports? Yes. Request our PGP public key at security@talkwriter.ai.