Skip to main content
Back to Hayaiti

Responsible Disclosure

Last updated: 2026-04-25

We ship cybersecurity work and we welcome researchers doing the same to our own infra. Report it, we'll acknowledge in 2 business days, fix it, and credit you with your consent.

Why this exists

Hayaiti is an early-stage productized engineering studio with a cybersecurity practice. External research gets the treatment we’d want as researchers ourselves: fast triage, no legal threats for good-faith work, public credit when you want it.

Scope

The following are in scope for disclosure:

  • hayaiti.com and its subdomains.
  • Open-source repositories under github.com/hayaiti.
  • Hosted apps and services we own and operate, where we are clearly identified as the operator.

For client systems we’ve helped build or audit, contact us first with the client name — we’ll relay your findings to the client and obtain authorization before any further testing.

Out of Scope

The following don’t qualify and may also be illegal:

  • Denial-of-service (DoS / DDoS), volumetric tests, or any test that degrades service availability.
  • Social engineering of Hayaiti staff, clients, contractors, or vendors.
  • Physical attacks on offices, infrastructure, or personnel.
  • Findings that require root, jailbreak, or compromise of an end user’s device.
  • Reports based purely on missing security headers, weak ciphers, or automated scanner output without a working proof-of-concept.
  • Anything affecting third-party vendors we use (e.g., Vercel, Stripe). Report those upstream.
  • Spam, phishing kits, or vulnerabilities in services we don’t operate.

Reporting Process

  1. Email security@hayaiti.com with a clear summary, reproduction steps, impact, and affected URL or asset.
  2. For sensitive findings, request our PGP key by emailing security@hayaiti.com with subject PGP key request. We’ll reply with the current public key and fingerprint within 24 hours.
  3. Give us a reasonable window to fix — typically 90 days— before public disclosure. We’ll coordinate the timeline with you.
  4. Don’t access, modify, or delete data that isn’t yours. Stop testing as soon as you’ve confirmed the vulnerability.

Our SLA

  • Acknowledgement: within 2 business days.
  • Triage & severity assessment: within 5 business days.
  • Remediation target:30 days for critical, 60 days for high, 90 days for medium — tracked publicly where possible.
  • Status updates: at least every 14 days until close.

Acknowledgment

Confirmed reporters get public credit (with your consent) on the Vulnerability disclosure program section of Hayaiti Labs — name, handle, or organization, and a link to your write-up after the fix ships. The wall fills as real reports land. We don’t pad it with placeholders.

We do not currently run a paid bug bounty program for our own assets. For high-impact reports we may, at our discretion, offer swag, a donation to a charity of your choice, or a consulting credit.

Safe Harbor

If you make a good-faith effort to comply with this policy, we’ll:

  • Not pursue or support any legal action against you under the Computer Fraud and Abuse Act (CFAA), DMCA anti-circumvention provisions, or equivalent foreign laws.
  • Consider your activity authorized for the purposes of any anti-hacking laws and waive any restrictions in our Terms of Service that would otherwise prohibit it.
  • Work with you to understand and resolve the issue and recognize your contribution publicly.

If a third party initiates legal action against you for activity conducted in good faith under this policy, we’ll make it known that your activity was authorized.

We can’t authorize testing against client systems — your safe harbor for those is conditional on us obtaining client authorization first. Contact us before touching any client asset.

Contact

Reports: security@hayaiti.com. For sensitive findings, use the PGP key above. For non-security questions, email hello@hayaiti.com.

This policy is loosely based on disclose.io terms. We’ll always interpret it in favor of researchers acting in good faith.

Questions?

We’re a small team and we read every email. Reach us at hello@hayaiti.com.