RingDesk AI takes security seriously. We welcome reports from the security research community and commit to working with researchers in good faith to resolve issues quickly and responsibly.

If you have discovered a potential security vulnerability in any RingDesk AI system, please follow this policy. We will not pursue legal action against researchers who act in good faith under these guidelines.

1. Scope

This policy covers:

The RingDesk AI web application (ringdesk.ai and all subdomains)
The RingDesk AI dashboard and API (api.ringdesk.ai)
Our mobile-responsive web interface
Authentication systems (login, signup, OAuth flows)
Customer data handling and API endpoints

Out of scope:

Social engineering attacks targeting our employees or customers
Physical security of our infrastructure
Denial of service (DoS/DDoS) attacks
Findings from automated scanners without evidence of exploitability
Third-party services we use (report these directly to those vendors)
Missing HTTP headers with no direct security impact

2. What We Ask of You

Act in good faith — only access data that belongs to your own test account
Do not modify or delete customer data, even for testing
Do not disrupt production — avoid actions that degrade the Service for other users
Report immediately — do not exploit a vulnerability beyond what is necessary to demonstrate it
Give us time — allow us a reasonable time to investigate and resolve before any public disclosure (see our timeline below)
Keep it confidential — do not share your findings with others until we have issued a fix

3. How to Report

Email your findings to security@ringdesk.net.

Please include:

A clear description of the vulnerability and its potential impact
Step-by-step reproduction instructions
Screenshots, HTTP requests/responses, or proof-of-concept code where relevant
Your suggested CVSS score if you are able to assess it
Your contact details and preferred way to communicate

For sensitive reports, you may request our PGP public key from security@ringdesk.net to encrypt your report before sending.

4. Our Response Timeline

Acknowledgement: within 2 business days of receipt
Initial assessment: within 5 business days — we will confirm whether the issue is in scope and its severity
Resolution timeline: Critical (CVSS 9+) within 7 days; High within 30 days; Medium within 60 days; Low within 90 days
Disclosure coordination: we will notify you when a fix is deployed and agree on a public disclosure date

5. Bug Bounty

We currently operate a discretionary rewards programme for valid, in-scope reports that meet our good-faith guidelines:

Critical (CVSS 9.0–10.0): up to $500 in account credit or gift card
High (CVSS 7.0–8.9): up to $200 in account credit or gift card
Medium (CVSS 4.0–6.9): up to $100 in account credit
Low / Informational: acknowledgement in our Hall of Fame

Rewards are at our discretion. Duplicate reports, out-of-scope issues, or reports that do not include sufficient detail to reproduce are not eligible. We do not offer cash payments at this time — we aim to expand this programme as we grow.

6. Hall of Fame

We maintain a public list of researchers who have responsibly disclosed valid issues and given us permission to acknowledge them. To be included, simply let us know in your report.

7. Safe Harbour

Researchers who act in good faith in accordance with this policy will not face legal action from RingDesk AI for their research activities. We consider responsible disclosure to be a significant contribution to our security posture and the broader community.

This safe harbour does not extend to activities outside the scope defined above, social engineering, physical intrusion, or any activity that harms customers or third parties.

8. Contact

Security disclosures: security@ringdesk.net
Please do not report security issues through our public support channels or social media.

Responsible Disclosure Policy