Legal

Security & responsible disclosure

Last updated: 2026-06-04

HireOps AI handles candidate PII, recruiter inboxes, and recorded interview transcripts. We take reports of security issues seriously and welcome research conducted within the scope and rules below.

1. Reporting a vulnerability

Email security@symprio.com. Include a clear description, steps to reproduce, any proof-of-concept, and the impact you believe the issue has. PGP is not yet published — if you need to send something sensitive, request a key in your first message and we will provide one.

The machine-readable contact for security tooling lives at /.well-known/security.txt (RFC 9116).

2. Our response SLA

  • Acknowledgement: within 3 business days of your report.
  • Triage + severity assignment: within 7 business days.
  • Fix or mitigation timeline: we will share an estimated fix date based on severity. Critical issues (authentication bypass, tenant data leakage, RCE) are worked continuously until mitigated.
  • Disclosure: we will credit you (with your permission) in the fix announcement. We ask that you do not publicly disclose details until a fix has shipped to production.

3. In scope

  • https://hireops.symprio.com (the production tenant-facing app)
  • The HireOps AI API surface (/api/v1/*)
  • The candidate-facing interview surface (/interview/*) when reached through a legitimately-issued screening token
  • Authentication, session handling, multi-tenancy isolation, webhooks, file uploads, AI prompt-injection paths

4. Out of scope

  • Third-party services we integrate with (Mistral, ElevenLabs, Twilio, Stripe, Gmail, LinkedIn, etc.) — report those directly to the relevant vendor.
  • Findings that require physical access to a user's device, social engineering of HireOps staff, or supply-chain attacks against npm / PyPI packages we depend on.
  • Denial-of-service via traffic flooding or resource exhaustion (please do not test these — see Rules of engagement below).
  • Marketing pages, blog content, and other static-content surfaces without practical security impact.
  • Reports from automated scanners without a working proof-of-concept (CVE tags, version banners, missing security headers without exploit path).

5. Rules of engagement

  • Test only with accounts you own or accounts you have written permission to test.
  • Do not access, modify, or exfiltrate data belonging to other tenants. If you find a way to reach another tenant's data, stop and report immediately.
  • Do not run scanners or fuzzers against the production endpoint beyond a low rate — if you need to test load behaviour, ask first.
  • Do not deploy malware, ransomware, or persistent backdoors as part of testing.
  • Keep findings confidential until we confirm a fix has shipped.

6. Safe-harbour commitment

We will not pursue legal action against researchers who:

  • Make a good-faith effort to follow this policy and the rules of engagement above.
  • Report findings through the channel above before disclosure.
  • Avoid privacy violations, destruction of data, and disruption of service.

If you are uncertain whether something is in scope, ask before you test — we would rather extend scope than litigate.

7. Bounties

We are a small team and do not currently offer cash bounties. Confirmed reports receive a credit in our security acknowledgements page (once we publish one) and our sincere thanks. We will share impactful reports back to you with our reasoning so you see what landed and why.