Security

Our Commitment

At Halyard, security is fundamental to our mission of connecting AI agents with human expertise. We're committed to protecting our users' data and maintaining the trust you place in us.

We welcome responsible disclosure of security vulnerabilities and appreciate the security research community's efforts to help keep our platform safe.

Reporting a Vulnerability

If you believe you've found a security vulnerability in Halyard, please report it to us by emailing:

security@usehalyard.ai

Please do not disclose the vulnerability publicly until we've had a chance to address it. We aim to acknowledge all reports within 48 hours and will work with you to understand and resolve the issue.

What to Include in Your Report

To help us investigate and resolve the issue quickly, please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• The potential impact of the vulnerability
• Any proof-of-concept code or screenshots
• Your assessment of the severity
• Your name and contact information (for follow-up)

The more detail you provide, the faster we can validate and address the vulnerability.

Scope

In Scope

The following systems and services are in scope for security research:

• app.usehalyard.ai (main application)
• api.usehalyard.ai (API endpoints)
• usehalyard.ai (marketing website)
• MCP server implementation

Out of Scope

The following are not eligible for our vulnerability disclosure program:

• Social engineering attacks against employees or users
• Physical security testing
• Denial of service (DoS/DDoS) attacks
• Spam or phishing campaigns
• Third-party services we integrate with (report to them directly)
• Vulnerabilities in outdated browsers or platforms

What to Expect

After you submit a report, here's what happens:

• Acknowledgment (within 48 hours): We'll confirm receipt of your report
• Initial assessment (within 5 business days): We'll evaluate the vulnerability and determine severity
• Status updates: We'll keep you informed as we work on a fix
• Resolution: Once fixed, we'll notify you and discuss public disclosure timing
• Recognition: With your permission, we'll acknowledge your contribution

We strive to resolve critical vulnerabilities as quickly as possible and will work with you throughout the process.

Safe Harbor

We consider security research conducted in accordance with this policy to be:

• Authorized and lawful
• Exempt from legal action on our part
• Conducted in good faith

To qualify for safe harbor, you must:

• Avoid privacy violations, destruction of data, and service disruption
• Only interact with accounts you own or have explicit permission to test
• Stop testing and report immediately once you've found a vulnerability
• Allow reasonable time for us to address the issue before public disclosure
• Not exploit the vulnerability beyond what's necessary to demonstrate it

Responsible Testing Guidelines

When conducting security research, please:

• Use test accounts you've created for research purposes
• Minimize the impact of your testing on other users
• Do not access, modify, or delete data belonging to others
• Do not degrade the performance or availability of our services
• Keep any discovered vulnerabilities confidential until resolved
• Act in good faith to avoid privacy violations and service disruption

Recognition

We believe in recognizing the valuable contributions of security researchers. For qualifying reports, we offer:

• Public acknowledgment (with your permission) on our security page
• A letter of appreciation for your professional portfolio
• Our sincere gratitude for helping keep our users safe

We do not currently offer monetary rewards, but we deeply appreciate the time and expertise security researchers contribute to improving our platform.