Skip to main content

Security

Vulnerability Disclosure Policy

We welcome reports from security researchers. If you have found a vulnerability in Finn, this page explains what is in scope, how to report it, and what you can expect from us in return.

Last updated: July 18, 2026

Our commitment

Good-faith research, met in good faith

Security is part of how Finn is built, and independent researchers are part of how it stays that way. We investigate every credible report, keep you updated, and fix confirmed issues on a timeline set by their severity. We do not currently operate a paid bug-bounty program, but we are grateful for responsible disclosure and will credit researchers who wish to be acknowledged.

Scope

What’s in scope

In scope

  • The Finn web application and dashboard (hirefinn.ai and its subdomains)
  • Finn's public APIs and authentication flows
  • Issues that expose Customer Data, allow privilege escalation, or bypass access controls

Out of scope

  • Denial-of-service (DoS/DDoS) or volumetric/load testing
  • Social engineering, phishing, or physical attacks against staff or facilities
  • Findings in third-party services or subprocessors (report those to the vendor)
  • Spam, missing best-practice headers, or reports with no demonstrable security impact

Safe harbor

We won’t come after good-faith research

If you make a good-faith effort to comply with this policy during your research, we will consider it authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly. Good faith means: you avoid privacy violations and service disruption, you only interact with accounts you own or have explicit permission to test, and you do not access, modify, or retain data belonging to others.

Reporting

How to report

Email [email protected] with:

  • • A clear description of the vulnerability and its impact
  • • Steps to reproduce, including affected URLs or endpoints
  • • Any proof-of-concept, logs, or screenshots that help us confirm it

Please give us a reasonable window to remediate before any public disclosure.

What to expect

Our response

Acknowledged

We confirm receipt of your report within three business days.

Investigated

We triage and validate the issue, and keep you updated as we work.

Remediated

Confirmed issues are fixed on a timeline set by severity, then disclosed in coordination with you.

Get started

Hire Finn and scale with confidence.

Move from idea to live voice automation — securely, reliably, and without operational risk.

Book a Demo

Fort-nightly Launches

We move quickly and get you what you need

Powerful Tools

Pre-built dashboards, reports, automations, more