Security · Responsible disclosure

Found a security issue? Tell us first.

We welcome reports from good-faith security researchers. If you've found a vulnerability in StartupAmplify (operated by Quantivo AI, LLC), here's how to report it and what you can expect from us.

Report to
contact@startupamplify.com

Put "Security" in the subject. If you need to share sensitive details, say so and we'll arrange a secure channel.

Safe harbour

We will not pursue or support legal action against researchers who act in good faith, follow the guidelines on this page, and give us a reasonable chance to fix the issue before disclosing it. Good-faith research is not a violation of our terms.

In scope

  • www.startupamplify.com and the signed-in app (/app)
  • Our API endpoints
  • Authentication, session handling, and access-control issues
  • Data exposure between accounts (IDOR, RLS gaps)

Out of scope

  • The third-party directories we submit to — report those to the directory
  • Denial-of-service, volumetric, or load testing
  • Social engineering of our team, customers, or vendors
  • Automated scanner output with no demonstrated impact
  • Missing best-practice headers with no concrete exploit

What we ask

  • Give us reasonable time to fix before any public disclosure
  • Don't access, modify, or exfiltrate data that isn't yours — use test accounts
  • Don't degrade the service for others (no DoS, no spam)
  • Include clear steps to reproduce, impact, and any proof-of-concept

What to expect

We aim to acknowledge a report within two business days and to keep you updated as we investigate and fix. We don't run a paid bug-bounty programme today, but we're glad to credit researchers who want the recognition. There's a short summary of our posture on the security page.