Security

Vulnerability disclosure

We take the security of Merov AI seriously. If you've found a vulnerability, we want to hear about it — and we'll work with you in good faith to fix it before public disclosure.

Report a vulnerability

Email security@merov.ai with as much detail as you can share. PGP-encrypted email supported on request.

Also published at /.well-known/security.txt per RFC 9116.

What to include in your report

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions (the more specific the better)
  • Affected URL(s), endpoint(s), or component(s) — e.g., https://app.merov.ai/...
  • Your name or handle if you'd like to be credited (optional)
  • Whether you've disclosed this to anyone else, and if so, when and where

Our response commitments

Acknowledgement: within 48 hours

We'll confirm receipt and let you know we're looking into it.

Triage: within 5 business days

We'll assess severity, scope, and reproducibility and let you know what we've found.

Resolution: critical issues within 30 days

Critical and high-severity issues are patched within 30 days of triage. Lower-severity issues land on a normal release cadence. We'll keep you updated throughout.

Scope

In scope

  • www.merov.ai
  • app.merov.ai
  • Authentication and session management
  • OAuth integrations with third-party providers
  • Tenant isolation and data access controls
  • API endpoints and server actions

Out of scope

  • Third-party services (Supabase, Vercel, Stripe, etc.)
  • Denial-of-service attacks
  • Social engineering of Merov AI staff or customers
  • Physical security
  • Issues requiring physical access or already-compromised accounts
  • Best-practice findings without a concrete impact (e.g., "you should set X header")

Safe harbor

We support good-faith security research. If you make a sincere effort to comply with this policy, we will:

  • Consider your research authorized and not pursue legal action
  • Work with you to understand and resolve the issue quickly
  • Recognize your contribution publicly if you'd like (otherwise we'll keep your report private)

In return, we ask that you:

  • Give us reasonable time to investigate and patch before public disclosure (we suggest 90 days, but we'll work with you on faster timelines for high-severity issues)
  • Avoid privacy violations, destruction of data, and disruption to other users
  • Only test against accounts you own or have explicit permission to access
  • Don't exfiltrate more data than necessary to demonstrate the vulnerability

What we don't have (yet)

We're an early-stage company. We don't currently have a paid bug bounty program, a formal security team, or third-party compliance certifications. We're focused on building a fundamentally secure product first, and these will come as we grow. If your research depends on a payout, please reach out before investing significant time.

Recognized researchers

None yet — be the first. Researchers who report valid issues are credited here (with permission).

Last updated: 2026-04-08