Report a bug

We take the security of Viper and our users seriously. If you find a vulnerability, we want to hear about it and we will work with you to confirm and fix it.

We will not pursue legal action against researchers who follow this policy in good faith, and we will not ask your internet provider to identify you for testing done within these rules.

In scope: the Viper web app (app.viperai.fyi), the API (api.viperai.fyi), the marketing site (viperai.fyi), and the official desktop app.

Out of scope: third-party services we rely on (hosting, payment processing, authentication, AI providers, email), the job sites and employer portals Viper interacts with, and findings that require a compromised device or a privileged account you already control.

Only test against your own accounts and data. Do not access, modify, or delete other users' data.

Do not run denial-of-service attacks, send spam, perform large-scale automated scanning that degrades the service, or use social engineering or physical attacks against our team or users.

Stop as soon as you confirm a vulnerability, and do not exfiltrate more data than is necessary to demonstrate the issue. Give us a reasonable time to fix it before any public disclosure.

Authentication or authorization flaws, account takeover, and access to data that is not yours.

Injection (SQL, command, template), server-side request forgery, remote code execution, and significant information disclosure.

Exposed secrets or credentials, insecure direct object references, and issues in the desktop app that compromise the host or the user's account.

Reports from automated scanners without a working proof of concept, missing security headers without demonstrated impact, and best-practice suggestions with no exploitable risk.

Self-XSS, clickjacking on pages with no sensitive action, rate-limiting on non-sensitive endpoints, and issues that require an unlikely or already-compromised configuration.

Email team@viperai.fyi with a clear description, the steps to reproduce, the impact, and any proof-of-concept. Include the affected URL or app version.

We aim to acknowledge reports within a few business days and will keep you updated as we triage and fix. Rewards, where offered, are at our discretion and based on severity and impact.