SmartAlex Vulnerability Disclosure Policy
1. Purpose and scope of this Policy
THERCSGROUP PTE. LTD., trading as SmartAlex ("SmartAlex", "we", "us", or "our"), takes the security of our platform, websites, applications and APIs (the "Services") seriously. The Services let business customers configure AI voice agents that place and receive real telephone calls, run outbound campaigns, manage contacts, and view analytics, and they record and transcribe calls and process the resulting audio and transcripts. Because the Services handle sensitive personal data, including call recordings and transcripts, we depend on a healthy relationship with the security community to keep them safe.
We welcome vulnerability reports from security researchers, customers, and the wider security community. This Vulnerability Disclosure Policy (this "Policy") sets out how to report a vulnerability, what is in scope and out of scope, what we promise good-faith reporters, and what we ask of them in return. It is a coordinated disclosure policy, not a paid bug-bounty programme, and it applies to vulnerabilities in SmartAlex properties only.
This Policy does not grant you any rights over the Services beyond the limited authorisation to conduct good-faith security research described below, and it does not waive any right or remedy with respect to activity that falls outside this Policy.
2. Definitions
In this Policy, the following terms have the meanings given below. Capitalised terms not defined here (including "Customer", "Customer Data", "End User", and "Subprocessor") have the meanings given in our Terms of Service and our Data Processing Addendum.
- Vulnerability means a weakness in the design, implementation, operation, or configuration of the Services that could be exploited to compromise the confidentiality, integrity, or availability of the Services or the data they process.
- Good-faith research means security testing that is carried out in accordance with this Policy, is intended to identify and report a Vulnerability, avoids harm to SmartAlex, our Customers, their End Users, and any third party, and does not access or use data beyond the minimum necessary to demonstrate a Vulnerability.
- Researcher, or "you", means any person who tests the Services and reports a Vulnerability under this Policy.
- Personal Data means information relating to an identified or identifiable individual, including call recordings, transcripts, contact records, and message content processed through the Services.
- Coordinated disclosure date means the date, agreed between you and us, on or after which a remediated Vulnerability may be publicly disclosed.
3. How to report a vulnerability
Send your report by email to security@getsmartalex.com. This is the single intake channel for security reports. Where possible, encrypt your report. To obtain our current PGP public key, email security@getsmartalex.com and we will reply with the key and its fingerprint before you transmit any sensitive material.
Please include the following in your report, in the order set out below, so that we can triage it quickly:
- A clear description of the Vulnerability and the affected component, system, endpoint, or URL.
- The type of Vulnerability and, where applicable, the relevant classification, for example the CWE category.
- Reproduction steps or proof-of-concept evidence sufficient for us to confirm the finding.
- The potential impact you estimate, including the data or systems that could be affected.
- Any relevant logs, request and response captures, screenshots, or other supporting evidence, with sensitive values redacted.
- The IP addresses, test accounts, and timestamps you used during testing, so that we can distinguish your activity from malicious traffic.
- Whether you are willing to be acknowledged publicly after resolution, and the name or handle you would like us to use.
If you are unsure whether a finding is in scope, send the report anyway and we will help you triage it. Please submit one Vulnerability per report unless several findings are part of a single attack chain, and please report findings to us before sharing them with any other party.
4. Our commitments to good-faith researchers
If your testing complies with this Policy and you act in good faith, SmartAlex commits to:
- Acknowledge your report within three (3) business days of receipt.
- Provide an initial triage assessment within ten (10) business days, including our preliminary view of severity and an estimated remediation timeline.
- Assign a single point of contact and communicate updates as remediation progresses.
- Work to remediate confirmed vulnerabilities within timeframes appropriate to their severity, as described in the section on severity classification and response targets below.
- Coordinate with you on a disclosure timeline. We generally aim for ninety (90) days from initial report to public disclosure, with extensions only by mutual agreement and only for as long as the Vulnerability poses no ongoing material risk.
- Acknowledge your contribution publicly, where you have asked us to do so, after the Vulnerability has been remediated.
- Not pursue civil or criminal action against you for security research conducted within the scope of this Policy. This commitment includes a contractual safe harbour: we will not allege violation of our Terms of Service, our Acceptable Use Policy, or applicable computer-misuse law for activity that complies with this Policy.
- Consider security research conducted in accordance with this Policy to be authorised access to our systems, and lawful. If a third party brings an action against you for activity that complied with this Policy, we will take reasonable steps to make clear that we authorised that activity.
This safe harbour applies only to the extent your activity complies with this Policy. If your activity exceeds the scope and rules of engagement set out below, the safe harbour does not apply, and we reserve all rights and remedies available to us.
5. Scope
5.1 In scope
This Policy covers SmartAlex properties only. The following, when accessed only as specified in the rules of engagement below, are in scope:
- The SmartAlex websites and web application at getsmartalex.com and its related public subdomains.
- The SmartAlex API and its documented endpoints.
- The SmartAlex mobile applications for iOS and Android published under our publisher accounts, limited to the application binaries and the SmartAlex-operated backend endpoints they call.
5.2 Out of scope
The following are out of scope, and testing them is not authorised under this Policy:
- Third-party systems operated by our Subprocessors and infrastructure providers, for example our hosting, database, content-delivery, telephony, speech and language AI, real-time voice, and payments providers. These systems have their own vulnerability disclosure programmes, so please report any issue directly to the relevant provider. A current list of our Subprocessors is available in our Subprocessor List and our Data Processing Addendum.
- The Apple App Store and Google Play platforms themselves, which deliver our mobile applications but are not operated by us.
- Customer-deployed instances, Customer configurations, or Customer-uploaded data, which are not ours to authorise testing on.
- Findings limited to outdated TLS configurations, missing security headers, missing best-practice flags, or other low-severity hygiene issues, unless an exploitable impact is demonstrated.
- Social-engineering attacks against SmartAlex personnel or Customers, including phishing, vishing, smishing, and physical-access attempts at our offices or those of our Subprocessors.
- Denial-of-service attacks, including network-layer floods, application-layer floods, and resource-exhaustion attacks.
- Findings that require physical access to a victim's device, or that depend on a compromised or rooted device, an outdated browser, or an unsupported operating system.
- Self-reported vulnerabilities derived solely from automated scanning tools without proof of exploitability.
- Testing that places real outbound telephone calls, sends real messages, or generates live telephony traffic to any number or recipient you do not own or control. Our Services place and receive real telephone calls, and such traffic costs money and can reach uninvolved third parties.
- AI model output issues, including prompt injection against our voice agents or chatbot, that do not result in unauthorised access to data, systems, or functionality that you are not entitled to access.
6. Rules of engagement
To stay within scope and within the safe harbour, you must:
- Test only against accounts and data that you own or that have been explicitly authorised for testing, and create a dedicated test account where one is needed rather than using another person's account.
- Not access, modify, store, transfer, or use Customer Data or Personal Data beyond the minimum necessary to demonstrate the Vulnerability. If you accidentally access such data, stop, do not disclose or copy it, and report it to us.
- Not perform testing that degrades the Services for legitimate users, including denial-of-service tests, automated high-volume scanning, or aggressive fuzzing against production systems.
- Not perform social-engineering attacks, including against SmartAlex personnel or Customer personnel.
- Not place real telephone calls, send real messages, or generate live telephony traffic to any number or recipient you do not own or control.
- Not exfiltrate any data, and not retain any Customer Data or Personal Data after you submit your report.
- Not publicly disclose the Vulnerability until SmartAlex has remediated it or the agreed coordinated disclosure date has been reached.
- Not use a Vulnerability to compromise further systems, escalate beyond what is needed to prove impact, or maintain persistence.
- Comply with applicable law in all the jurisdictions involved in your research.
Our Services process Personal Data, including call recordings, transcripts, messages, and contact details, across Singapore, the European Economic Area, the United Kingdom, the United States, and South Africa. If your testing exposes the Personal Data of our Customers or their End Users, stop immediately, do not download or retain it, and notify us at security@getsmartalex.com and privacy@getsmartalex.com without delay. We will assess whether the exposure constitutes a personal-data breach under applicable law and handle any resulting notification obligations to supervisory authorities and affected individuals.
7. Severity classification and response targets
SmartAlex classifies inbound reports as Critical, High, Medium, Low, or Informational, using the Common Vulnerability Scoring System ("CVSS") version 3.1 base score as a starting point and adjusting for environmental and exploitability factors specific to the SmartAlex deployment, including the sensitivity of the data exposed. We will share our classification with you during triage and respond to any disagreement on the merits.
The table below sets out the indicative response and remediation targets that we work towards for each severity level. These targets are goals rather than contractual guarantees, and the actual timeline for a given Vulnerability depends on its complexity and on any dependency on a Subprocessor.
| Severity | Indicative CVSS 3.1 range | Target remediation |
|---|---|---|
| Critical | 9.0 to 10.0 | As soon as practicable, normally within 7 days, with interim mitigation applied immediately |
| High | 7.0 to 8.9 | Normally within 30 days |
| Medium | 4.0 to 6.9 | Normally within 90 days |
| Low | 0.1 to 3.9 | Addressed in the ordinary course, as resources allow |
| Informational | 0.0 | Logged and considered for future improvement |
8. Coordinated disclosure
We believe that coordinated disclosure protects users while still recognising the value of independent research. We ask that you give us a reasonable opportunity to remediate a Vulnerability before disclosing it to any third party or to the public.
Our default coordinated disclosure window is ninety (90) days from the date we acknowledge your report. We may agree a shorter window for low-risk findings, or a longer window where a fix is complex, depends on a Subprocessor, or requires a coordinated release. If a Vulnerability is being actively exploited, we will prioritise mitigation and will work with you on an accelerated timeline. We will not ask you to delay disclosure indefinitely, and we will tell you when remediation is complete.
Where appropriate, we will request or assign a CVE identifier for a confirmed Vulnerability and will coordinate the public advisory with you. Please do not test or disclose in a way that names or implicates our Customers, their End Users, or our Subprocessors without our prior agreement.
9. Recognition
SmartAlex will recognise Researchers whose reports lead to material security improvements. With your consent, we will credit your name or handle when we disclose a remediated Vulnerability, and we are happy to provide written recognition of a valid report on request, which you may use to evidence your contribution.
We do not currently operate a paid bug-bounty programme, and we make no offer of monetary reward under this Policy. We will note here if and when that changes. Submitting a report does not create any expectation of, or entitlement to, payment.
10. Legal position and good faith
This Policy is intended to provide clear authorisation and certainty to Researchers acting in good faith. We will interpret activity undertaken consistently with this Policy as authorised, as a matter of good faith, and we will not initiate or recommend a complaint to law enforcement for accidental or good-faith violations of this Policy.
Nothing in this Policy authorises activity that is unlawful under any applicable law, and you remain responsible for complying with the laws of every jurisdiction relevant to your research, including computer-misuse, data-protection, and telecommunications law. If at any time you are uncertain whether a particular action is permitted, stop and contact us at security@getsmartalex.com before proceeding. This Policy does not give you permission to act in any manner that is inconsistent with the law or that breaches the rights of any third party.
11. Governing law, updates and contact
This Policy is governed by the laws of the Republic of Singapore, including the Computer Misuse Act 1993. SmartAlex is a trading name of THERCSGROUP PTE. LTD. (UEN 202543608D), a private company limited by shares incorporated in Singapore, with its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914.
This Policy is reviewed periodically, and the effective date below reflects the most recent revision. We may update this Policy from time to time, and the current version always governs reports submitted while it is in force. For questions about this Policy or the disclosure process, contact security@getsmartalex.com. For privacy-related aspects of a report, you may also contact privacy@getsmartalex.com. For legal questions about this Policy, contact legal@getsmartalex.com.
This Vulnerability Disclosure Policy is version 1.1 and is effective from 1 June 2026.