Security
Vulnerability Disclosure Policy
We welcome reports from security researchers. If you have found a vulnerability in Finn, this page explains what is in scope, how to report it, and what you can expect from us in return.
Last updated: July 18, 2026
Our commitment
Good-faith research, met in good faith
Security is part of how Finn is built, and independent researchers are part of how it stays that way. We investigate every credible report, keep you updated, and fix confirmed issues on a timeline set by their severity. We do not currently operate a paid bug-bounty program, but we are grateful for responsible disclosure and will credit researchers who wish to be acknowledged.
Scope
What’s in scope
In scope
- The Finn web application and dashboard (hirefinn.ai and its subdomains)
- Finn's public APIs and authentication flows
- Issues that expose Customer Data, allow privilege escalation, or bypass access controls
Out of scope
- Denial-of-service (DoS/DDoS) or volumetric/load testing
- Social engineering, phishing, or physical attacks against staff or facilities
- Findings in third-party services or subprocessors (report those to the vendor)
- Spam, missing best-practice headers, or reports with no demonstrable security impact
Safe harbor
We won’t come after good-faith research
If you make a good-faith effort to comply with this policy during your research, we will consider it authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly. Good faith means: you avoid privacy violations and service disruption, you only interact with accounts you own or have explicit permission to test, and you do not access, modify, or retain data belonging to others.
Reporting
How to report
Email [email protected] with:
- • A clear description of the vulnerability and its impact
- • Steps to reproduce, including affected URLs or endpoints
- • Any proof-of-concept, logs, or screenshots that help us confirm it
Please give us a reasonable window to remediate before any public disclosure.
What to expect
Our response
Acknowledged
We confirm receipt of your report within three business days.
Investigated
We triage and validate the issue, and keep you updated as we work.
Remediated
Confirmed issues are fixed on a timeline set by severity, then disclosed in coordination with you.
Get started
Hire Finn and scale with confidence.
Move from idea to live voice automation — securely, reliably, and without operational risk.
Fort-nightly Launches
We move quickly and get you what you need
Powerful Tools
Pre-built dashboards, reports, automations, more