Vulnerability Disclosure Policy

Last updated: February 2026

1. Introduction

At Draftery, the security of our users' data is a top priority. We welcome and appreciate responsible security research. If you believe you have found a vulnerability, we encourage you to report it to us following the guidelines below.

2. Guidelines

We ask that security researchers:

• Do not access, modify, or delete other users' data.
• Only test against your own accounts and data.
• Report vulnerabilities responsibly and give us reasonable time to address them before public disclosure.
• Keep vulnerability details confidential until we have resolved the issue.
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.

3. Safe Harbor

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with these guidelines. We consider good-faith security research to be authorised activity.

4. In-Scope

• draftery.ai
• app.draftery.ai

5. Out of Scope

• Physical attacks against Draftery offices or data centres.
• Social engineering attacks against Draftery employees.
• Denial of service (DoS/DDoS) attacks.
• Vulnerabilities in third-party services or dependencies (report these directly to the relevant vendor).

6. Reporting

Please submit vulnerability reports to hi@aina.rs. Include the following in your report:

• A description of the vulnerability.
• Step-by-step instructions to reproduce the issue.
• Any supporting evidence such as screenshots or proof-of-concept code.
• The potential impact of the vulnerability.

7. Response

We are committed to acknowledging vulnerability reports within 72 hours and will work with you to understand and resolve the issue promptly. We will keep you informed of our progress throughout the remediation process.