BackLast updated: 09/11/2025

Responsible Disclosure

We encourage the security research community to responsibly report any potential vulnerability affecting Godia.ai. This page outlines the scope, reporting process, safe harbor framework, and our response commitments.

Purpose

Promote responsible vulnerability reporting to protect users, their data, and the integrity of the Godia.ai platform.

In-scope systems

Domains and services under *.godia.ai, including public web interfaces and official subdomains. Internal environments, employee accounts, and real customer data are out of scope.

Required best practices

  • No user impact

    Avoid service disruption, data alteration, or privacy impact. Prefer targeted, proportionate testing.

  • No access to or exfiltration of data

    Do not access other people's personal data. If you do so inadvertently, stop immediately and securely delete it without retaining copies.

  • No public disclosure before a fix

    Allow us a reasonable time to investigate and remediate before publishing. We will favor coordinated disclosure.

Reporting channel

Contact legal@godia.ai with a clear report: reproduction steps, impact, affected surfaces, anonymized screenshots, and your contact details.

Details to include in your report

  • Summary & estimated severity

    Short description of the issue and the risk.

  • Reproduction steps

    Step-by-step instructions, minimal payload, isolated test accounts.

  • Proof of concept

    Logs, screenshots, or videos demonstrating the issue without exposing sensitive data.

  • Scope & impact

    Affected components, conditions, and likelihood of exploitation.

  • Mitigation ideas

    Potential fixes, compensating controls, and best practices.

Safe harbor

To the extent permitted by law, we will not pursue action against researchers who act in good faith, perform proportionate testing, follow this policy, and do not exploit issues beyond what is necessary to demonstrate them. This does not cover illegal activities (e.g., accessing third-party data, DDoS, ransomware).

Out of scope

  • DDoS and volumetric testing

    Stress tests, large-scale fuzzing, or unauthorized intrusive scanning.

  • Social engineering

    Phishing, vishing, or impersonation of employees/customers.

  • Low-impact issues

    Non-blocking best practices (e.g., missing headers without direct exploitable impact).

  • Third-party services

    Issues in external tools and SaaS providers used by Godia.ai.

Severity and response timelines

  • Initial triage

    Acknowledgement within 2 business days.

  • Categorization

    Prioritization based on impact and likelihood (critical, high, medium, low).

  • Remediation

    Timeline varies depending on complexity. We will share updates until resolution.

Privacy and data

Reports may contain personal data (researcher contact details). This data is processed in accordance with our Privacy Policy and retained only as long as necessary to handle the report.

Recognition

We do not currently offer a public bug bounty program. Depending on the case, a thank-you mention may be granted. Thank you for helping improve the security of the Godia.ai ecosystem.

Program changes

This program may change at any time. The last updated date is shown above.

Stay up to date with the latest news
Godia.ai logoGodia.ai

Conversational AI assistants for customer service, sales and operations.

24, route d'Arlon 8008 Strassen, Luxembourg, UE

Solutions by industry

© 2026 Godia.aiHosted in the EUGDPR Compliant
Made with ❤️ in Luxembourg