Ameleva's responsible disclosure policy: report vulnerabilities to contact@ameleva.com. We acknowledge within one business day and publish a triage decision within seven days for confirmed issues. Severity SLAs: Critical — fix within 7 days; High — within 30 days; Medium — within 90 days; Low — best-effort. We follow 90-day coordinated disclosure (public after fix, or sooner with reporter consent, or longer when complex fixes require it and we communicate the timeline). Safe harbor: we will not pursue civil or criminal action and will not contact law enforcement for accidental access incidental to good-faith research within scope. Public credit (with reporter consent) is offered on this page. A paid bounty program is on the roadmap; terms will be published when it launches. For breaches with material risk to users we follow GDPR Articles 33 and 34 — notifying users and the relevant supervisory authority within 72 hours of becoming aware.

  • In scope

    ameleva.com and subdomains, the iOS and Android apps, the encryption boundary, and authentication and entitlement logic.

  • Out of scope

    Vulnerabilities in third-party services we use (report to them directly), self-XSS, missing headers without demonstrated impact, and social engineering of staff or users.

  • Safe harbor

    We will not pursue civil or criminal action — and will not contact law enforcement — for accidental access incidental to good-faith research within the scope below.

Responsible disclosure

Found something? We want to know.

Ameleva's responsible disclosure process: how to report, what we commit to in writing, what's in scope, and the safe-harbor terms that apply to good-faith security research. Operated by 1001511837 ONTARIO INC.

Report a vulnerability

Email contact@ameleva.com. We encourage PGP-encrypted reports for any submission containing exploitation details or sample data — a current PGP key fingerprint will be published below when the public bounty program launches (ETA Q3 2026). Include: a clear reproducer, the affected version (web build hash or app store version), expected vs actual behaviour, and the impact you assess. If you accidentally accessed another user's data while testing, tell us — accidental access incidental to good-faith research is covered by our safe harbor.

Our commitments

  • Acknowledge receipt within one business day
  • Publish a triage decision (accepted / duplicate / out of scope) within seven days for confirmed reports
  • Public credit (with consent) on the researchers list below
  • No legal action against good-faith research within scope — see safe harbor
  • Per GDPR Articles 33 and 34: notify users and the relevant supervisory authority within 72 hours of becoming aware of a personal-data breach with material risk

Severity-based SLA

Critical

Acknowledge ≤ 24h. Fix or mitigation ≤ 7 days. Examples: remote code execution; authentication bypass; widespread PII or ciphertext-boundary leak; encryption-key extraction.

High

Acknowledge ≤ 48h. Fix or mitigation ≤ 30 days. Examples: targeted account takeover; entitlement bypass exposing paid content; SQL injection without direct PII exposure.

Medium

Acknowledge ≤ 5 business days. Fix or mitigation ≤ 90 days. Examples: stored XSS on authenticated pages; CSRF on state-changing actions; rate-limit bypass with clear abuse path.

Low

Acknowledge ≤ 5 business days. Fix on best-effort cadence. Examples: missing best-practice headers without demonstrated impact; verbose error messages; minor information disclosure.

Coordinated disclosure

We follow 90-day coordinated disclosure. A confirmed issue becomes public 90 days after the report — or sooner with reporter consent, or longer when a fix is complex and we communicate the new timeline in writing. We will not silently extend a deadline. If a reporter wants to publish before 90 days for a fixed issue, we'll coordinate the wording. If we miss our own SLA, we'll say so on this page when the fix ships.

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we consider your research to be authorized; we will work with you to understand and quickly resolve the issue; we will not pursue civil or criminal action against you, and will not contact law enforcement for accidental access incidental to your research; if a third party (e.g. a sub-processor) initiates legal action against you for research conducted within scope of this policy, we will make it known to that third party that your research was authorized. You are responsible for complying with all applicable laws and for stopping your testing and notifying us if you encounter any user data.

In scope

  • ameleva.com and all subdomains
  • iOS app (App Store ID 6766148570)
  • Android app (com.ameleva.app)
  • Encryption boundary (PBKDF2 parameters, AES-256-GCM usage, ciphertext-only sync of journals / habit-log values and notes / feedback answers)
  • Authentication and session handling (Supabase Auth integration)
  • Subscription and entitlement logic (RevenueCat, Apple IAP, Google Play Billing)
  • Our public APIs at /api/public/* (rate-limit behaviour, response integrity)

Out of scope

  • Vulnerabilities in our sub-processors (Supabase, RevenueCat, Apple, Google, Cloudflare) — please report to them directly
  • Self-XSS, clickjacking on pages without sensitive actions
  • Missing security headers without demonstrated impact
  • Bulk-rate-limit exhaustion or DoS-style probing — please contact us before testing
  • Social engineering of Ameleva staff, users, or sub-processors
  • Physical attacks against Ameleva offices or staff
  • Vulnerabilities requiring physical access to a victim's unlocked device

Bounty

Public credit (with consent) is offered today for every confirmed report. A paid bounty program is on the roadmap with target launch in Q3 2026 — full terms, payout tiers, and ineligibility rules will be published on this page when the program goes live. We will not retroactively reclassify older accepted reports for payout.

Researchers

The first credited reports will appear here. Researchers who opt in to public credit will be listed with their handle, the report date, a short summary of the finding, and a link to a writeup if they publish one. If you would prefer to remain anonymous, that's fine — just tell us in the report.

PGP key

A current PGP key fingerprint for contact@ameleva.com will be published below when the public bounty program launches (ETA Q3 2026). In the meantime, send sensitive material to contact@ameleva.com and we will respond from the same address with our current key on request.

Security questions: contact@ameleva.com

Operated by 1001511837 ONTARIO INC. — Cambridge, Ontario, Canada.

Security overviewEncryption details