Found a security issue? Tell us first.
We welcome reports from good-faith security researchers. If you've found a vulnerability in StartupAmplify (operated by Quantivo AI, LLC), here's how to report it and what you can expect from us.
Put "Security" in the subject. If you need to share sensitive details, say so and we'll arrange a secure channel.
Safe harbour
We will not pursue or support legal action against researchers who act in good faith, follow the guidelines on this page, and give us a reasonable chance to fix the issue before disclosing it. Good-faith research is not a violation of our terms.
In scope
- www.startupamplify.com and the signed-in app (/app)
- Our API endpoints
- Authentication, session handling, and access-control issues
- Data exposure between accounts (IDOR, RLS gaps)
Out of scope
- The third-party directories we submit to — report those to the directory
- Denial-of-service, volumetric, or load testing
- Social engineering of our team, customers, or vendors
- Automated scanner output with no demonstrated impact
- Missing best-practice headers with no concrete exploit
What we ask
- Give us reasonable time to fix before any public disclosure
- Don't access, modify, or exfiltrate data that isn't yours — use test accounts
- Don't degrade the service for others (no DoS, no spam)
- Include clear steps to reproduce, impact, and any proof-of-concept
What to expect
We aim to acknowledge a report within two business days and to keep you updated as we investigate and fix. We don't run a paid bug-bounty programme today, but we're glad to credit researchers who want the recognition. There's a short summary of our posture on the security page.