Vulnerability Disclosure Policy

Effective May 16, 2026 · Avalon Flow Inc., a subsidiary of Questili LLP · support@avalonflow.com

For this policy, "Avalon," "we," "us," or "our" means Avalon Flow Inc., a subsidiary of Questili LLP, unless a signed order form or customer agreement identifies a different contracting entity.

Avalon welcomes good-faith vulnerability reports that help protect Avalon users, customers, and systems. This policy explains how to report suspected vulnerabilities and what conduct is authorized.

1. Scope

This policy applies to publicly accessible Avalon-owned systems and services, including Avalon web properties and production app surfaces operated by Avalon.

The following are out of scope unless Avalon gives written authorization:

  • customer-owned Google accounts/Google Workspace tenants, Microsoft tenants, Slack workspaces, Salesforce instances, MCP servers, custom endpoints, local models, private models, BYO model providers, or self-hosted infrastructure;
  • third-party providers not operated by Avalon;
  • social engineering, phishing, physical attacks, spam, denial of service, destructive testing, or attacks against Avalon users, employees, contractors, vendors, or customers;
  • attempts to access, modify, delete, exfiltrate, retain, or disclose Customer Content, personal information, secrets, tokens, credentials, emails, calendar data, prompts, model outputs, AI memory, logs, or payment data;
  • prompt extraction, model distillation, hidden instruction extraction, jailbreaks intended to reveal proprietary systems, or attempts to learn Avalon’s non-public prompts, tool schemas, routing logic, source code, internal policies, or proprietary operating methods.

2. Authorized research

Security research is authorized only if you:

  • act in good faith;
  • test only in your own account or with accounts and data you are authorized to use;
  • avoid privacy harm, service disruption, data destruction, persistence, lateral movement, and access to other users’ data;
  • stop testing immediately if you encounter Customer Content, personal information, secrets, tokens, credentials, or non-public Avalon information;
  • report the issue promptly to support@avalonflow.com;
  • give Avalon reasonable time to investigate and remediate before public disclosure;
  • comply with applicable law and this policy.

3. Reporting process

Send vulnerability reports to support@avalonflow.com with:

  • a clear description of the suspected vulnerability;
  • affected URL, endpoint, feature, or component;
  • steps to reproduce using safe test data;
  • screenshots or proof-of-concept details that do not include Customer Content or secrets;
  • potential impact;
  • your contact information and disclosure expectations.

Do not include raw Customer Content, credentials, tokens, private keys, payment data, or other sensitive information in the report.

4. What to expect

Avalon will review submitted reports, prioritize them based on severity and exploitability, and may contact you for clarification. Avalon does not guarantee a bounty, payment, swag, public credit, timeline, or fix for every report.

Avalon may decline reports that are out of scope, not reproducible, low impact, already known, caused by customer-controlled systems, or dependent on unsafe testing methods.

5. Safe harbor

Avalon will not pursue legal action against security researchers for accidental, good-faith violations of this policy when the researcher:

  • complies with the authorized research rules above;
  • avoids privacy harm and service disruption;
  • does not access, retain, disclose, or misuse data;
  • promptly reports the issue;
  • stops testing when requested by Avalon.

This safe harbor does not apply to extortion, threats, public disclosure before coordinated remediation, privacy violations, data exfiltration, destructive activity, social engineering, spam, denial of service, malware, credential theft, persistence, lateral movement, prompt extraction, model distillation, or activity outside this policy.

6. Public disclosure

Do not publicly disclose a vulnerability until Avalon has confirmed remediation or provided written permission. Coordinated disclosure protects users and gives Avalon time to investigate, patch, and notify affected parties where appropriate.

7. Contact

Report vulnerabilities to support@avalonflow.com.