Contact: mailto:security@very.org
Expires: 2027-04-07T00:00:00.000Z
Preferred-Languages: en
Canonical: https://very.org/.well-known/security.txt

# VeryAI Security Policy

## Reporting Security Vulnerabilities

If you discover a security vulnerability in any VeryAI product or service,
please report it responsibly:

1. DO NOT create a public GitHub issue
2. Email security@very.org with:
   - Description of the vulnerability
   - Steps to reproduce
   - Impact assessment
   - Any supporting evidence (screenshots, logs, PoC)
3. Allow reasonable time for us to address the issue before public disclosure

## Scope

This policy covers all VeryAI products and services, including:
- very.org and subdomains
- VeryAI mobile applications
- VeryAI smart contracts and on-chain programs
- APIs and backend services

## Response Timeline

- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Resolution: Within 30 days for critical issues

## Recognition

We appreciate responsible disclosure and may recognize security researchers
who help improve our security posture. We do not currently operate a formal
bug bounty program, but may consider rewards for significant findings on a
case-by-case basis.

## Out of Scope

- Social engineering attacks against VeryAI employees
- Denial of service attacks
- Spam or phishing
- Issues in third-party services we use