← AvarieuxSecurity disclosure
Last updated: 2026-05-10
If you found something
Avarieux, Inc. takes security seriously. If you believe you've found a vulnerability in any service we operate — including the helm app, the quotes worker, or any of the public MCP servers we maintain — please report it via one of the channels below. Don't publicly disclose until we've had a reasonable window to address it.
How to report
- In-app reporter — the "report issue" button in the bottom-right of the app. Pick "Security / vulnerability" and severity "Critical" if exploitable now. Auto-encrypted in transport. We see it the same hour. Best for most reports.
- Email — security@avarieux.com. Include reproduction steps, affected URL/endpoint, and the impact. We acknowledge within 48 hours.
- PGP-encrypted email — for highly sensitive reports. Our public key fingerprint will be published here once generated. In the interim, email security@avarieux.com and request the key.
Safe-harbor commitment
When you report a vulnerability in good faith following this policy:
- We will not pursue legal action against you.
- We will not file a complaint with law enforcement.
- We will work with you to understand and resolve the issue quickly.
- We will credit you publicly (with your permission) in our hall-of-thanks once the issue is resolved.
Scope
In scope:
- avarieux.com and all subdomains we operate
- The helm app codebase (github.com/ykshah1309/helm)
- The helm-quotes-worker (github.com/ykshah1309/helm-quotes-worker)
- Any of our open-source MCP servers
- Our published API endpoints (/api/v1/*)
Out of scope:
- Issues in third-party services we depend on (Clerk, Supabase, Stripe, Anthropic, OpenAI) — please report to them directly
- Social engineering of our team
- Physical attacks against our infrastructure (we don't have any)
- Self-XSS, CSRF without significant impact
- Missing security headers without a demonstrated vulnerability
Response times
- Acknowledgment: 48 hours
- Triage decision: 5 business days
- Critical fix: 7 days
- High fix: 30 days
- Medium / low fix: 90 days
- Public disclosure: coordinated with you, 90 days after initial report by default
Bug bounty
We don't have a paid bounty program yet. We do offer:
- Public acknowledgment in our hall-of-thanks (with permission)
- A genuine thank-you note from the team
- Avarieux Pro+ access on us, for as long as you'd like, for any valid High or Critical disclosure
A monetary bounty program is on the roadmap as we grow.
Hall of thanks
Empty for now — be the first.