Vulnerability Reporting
HEMA AI INC.
Security Vulnerability Reporting Policy
Last Updated: June 13, 2026
Hema AI Inc. ("Hema AI," "we," "our," or "us"), a corporation incorporated under the laws of the State of Delaware, United States of America, takes the security of its systems, platform, and user data seriously. We are grateful to security researchers, customers, and members of the public who identify and responsibly disclose potential security vulnerabilities affecting Hema AI systems.
This Security Vulnerability Reporting Policy (this "Policy") explains how to report a suspected vulnerability to Hema AI, what information to include, what you can expect from us in response, and the terms under which your participation in this process is governed. We ask that all researchers and reporters read and comply with this Policy in full before submitting a report.
Table of Contents
1. How to Report a Vulnerability
2. Scope
3. Out-of-Scope Issues
4. Severity Classification
5. Researcher Expectations and Conduct Requirements
6. Hema AI's Commitments
7. No Commitment to Compensation
8. Safe Harbor
9. Public Disclosure
10. Reservation of Rights
11. Legal and Regulatory Compliance
12. Contact
1. How to Report a Vulnerability
1.1 Submission Channel. All suspected security vulnerability reports must be submitted by email to:
Please do not submit vulnerability reports through social media, public forums, GitHub issues, general support channels, or any other medium. Using the designated email address above ensures that your report is received by Hema AI's security team promptly and handled with appropriate confidentiality.
1.2 Required Information. Each report must include, at minimum, the following information:
1. a clear and concise description of the suspected vulnerability, including the type of vulnerability (e.g., SQL injection, XSS, IDOR, authentication bypass) and its potential security impact;
2. the specific URL(s), endpoint(s), parameter(s), or system component(s) affected;
3. step-by-step instructions sufficient to reproduce the vulnerability, including any relevant request and response examples;
4. the potential impact of the vulnerability if exploited (e.g., unauthorized data access, privilege escalation, account takeover); and
5. your name and contact information (email address) so that we can follow up with you.
1.3 Supplementary Materials. Where available and applicable, please also include any of the following to assist Hema AI in validating and investigating the report:
• screenshots or screen recordings demonstrating the vulnerability;
• logs or raw HTTP request/response samples (with any sensitive personal data of third parties redacted);
• proof-of-concept (PoC) code, scripts, or payloads (limited to what is necessary to demonstrate the vulnerability — do not include destructive or data-exfiltration payloads);
• the IP address(es) from which testing was conducted; and
• any suggested remediation steps or mitigations.
1.4 Response Timeline. Hema AI aims to acknowledge receipt of all valid vulnerability reports within five (5) U.S. business days of submission. Hema AI will use commercially reasonable efforts to provide a substantive response — including an initial assessment of scope and severity — within fifteen (15) U.S. business days of acknowledgment, subject to the complexity and nature of the reported issue.
2. Scope
2.1 In-Scope Systems. This Policy applies to suspected security vulnerabilities directly affecting the following Hema AI-owned and operated systems and assets:
| In-Scope Assets: *.tryhema.com | api.tryhema.com | app.tryhema.com | Hema AI mobile applications (where applicable) | Hema AI-owned infrastructure directly supporting the foregoing | | :---- |
Reports relating solely to third-party products, services, open-source libraries, or infrastructure not owned or controlled by Hema AI are outside the scope of this Policy, unless the report demonstrates that the issue arises from Hema AI's own code, configuration, or implementation of such third-party components.
2.2 Scope Table. The following table summarizes the types of issues that are within and outside the scope of this Policy:
| In Scope | Out of Scope |
|---|---|
| Authentication and authorization flaws | Social engineering, phishing, or impersonation |
| Injection vulnerabilities (SQL, command, LDAP, etc.) | Physical security issues |
| Cross-site scripting (XSS) and cross-site request forgery (CSRF) | Denial of service (DoS/DDoS) or volumetric attacks |
| Server-side request forgery (SSRF) | Spam, brute force, or credential stuffing |
| Sensitive data exposure or unauthorized data access | Malware, ransomware, or destructive payloads |
| Insecure direct object references (IDOR) | Third-party services not owned or controlled by Hema AI |
| Remote code execution (RCE) | Reports lacking sufficient detail to reproduce or evaluate |
| Security misconfigurations affecting *.tryhema.com | Issues affecting only end users' own accounts or devices |
| Business logic vulnerabilities with material security impact | Previously known/reported vulnerabilities already being addressed |
| API security vulnerabilities | Missing security headers with no demonstrable impact |
3. Out-of-Scope Issues
3.1 Excluded Issue Types. The following categories of issues are expressly outside the scope of this Policy and will not be accepted or reviewed as vulnerability reports:
6. social engineering attacks, phishing, spear-phishing, vishing, or impersonation of Hema AI or its personnel;
7. physical security issues, including attempts to gain physical access to Hema AI premises, hardware, or infrastructure;
8. denial of service (DoS), distributed denial of service (DDoS), or any other form of volumetric, amplification, or resource exhaustion attack against Hema AI systems;
9. spam, brute force attacks, credential stuffing, password spraying, or other automated high-volume attacks;
10. malware, ransomware, destructive payloads, logic bombs, or any code or activity designed to cause damage, destruction, or data loss;
11. vulnerabilities affecting only third-party services, applications, or platforms that are not owned or controlled by Hema AI, including third-party AI models, content delivery networks, or analytics platforms;
12. reports that lack sufficient technical detail to enable Hema AI to reproduce, evaluate, or assess the reported issue;
13. issues that have already been publicly disclosed and for which Hema AI is already aware and actively working on remediation;
14. theoretical vulnerabilities with no demonstrated or demonstrable exploitation path; and
15. missing security headers, rate limiting, or CSRF tokens where no material security impact can be demonstrated.
3.2 Conduct Constituting Disqualification. Reports submitted in connection with, or tainted by, any conduct that violates Section 5 (Researcher Expectations) of this Policy — including unauthorized access, data exfiltration, or disruption of Hema AI systems — will not be considered within scope and will not be eligible for safe harbor protections.
4. Severity Classification
Hema AI classifies confirmed vulnerabilities using the following severity framework, informed by the Common Vulnerability Scoring System (CVSS) and the specific context of the reported issue. Hema AI reserves the right to determine severity classification in its sole discretion based on its assessment of the actual impact and exploitability of the vulnerability.
| Severity | Examples | Response Expectation | Classification |
|---|---|---|---|
| Critical | RCE, mass data breach, authentication bypass, full system takeover | Prompt patch or mitigation; Customer and regulatory notification as required | FDECEA |
| High | Privilege escalation, significant data exposure, SSRF with material impact, IDOR affecting multiple accounts | Addressed in next scheduled release or earlier | FFF3E0 |
| Medium | Limited data exposure, CSRF with meaningful impact, stored XSS | Addressed within standard release cycle | FFFDE7 |
| Low / Informational | Reflected XSS (low impact), missing headers with no demonstrable exploitation path, minor configuration issues | Acknowledged; addressed at Hema AI's discretion | E8F5E9 |
Severity classifications are assigned by Hema AI's security team following investigation and are subject to change as additional information becomes available. Reporter-assigned severity levels are considered as an input but are not binding on Hema AI.
5. Researcher Expectations and Conduct Requirements
By submitting a vulnerability report under this Policy, you represent, warrant, and agree that you will at all times:
16. Act in good faith. Your activities must be conducted honestly, in good faith, and solely for the purpose of identifying and responsibly disclosing potential security vulnerabilities to Hema AI.
17. Provide accurate and complete information. Your report must be accurate, complete, and not intentionally misleading. Do not submit fabricated, speculative, or artificial vulnerabilities.
18. Avoid disruption. You must not take any action that disrupts, degrades, impairs, or interferes with the availability, performance, or integrity of Hema AI's systems, services, or infrastructure, or that negatively impacts any other user of Hema AI's services.
19. Do not access, modify, or exfiltrate data. You must not access, read, copy, modify, destroy, disclose, transmit, or retain any data that does not belong to you, including data belonging to Hema AI, its customers, or any third party. Any inadvertent access to third-party data must be immediately reported to Hema AI and the data must not be retained.
20. Use only your own accounts for testing. All testing must be conducted exclusively on accounts, data, and resources that you own or that you have explicit written permission from the account owner to use for security testing purposes.
21. Report privately and promptly. You must report suspected vulnerabilities privately and directly to Hema AI at security@tryhema.com before making any public disclosure, and you must allow Hema AI a reasonable opportunity to investigate and remediate the issue in accordance with Section 9.
22. Comply with applicable law. Your activities must at all times comply with all applicable federal and state laws, including the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Electronic Communications Privacy Act (18 U.S.C. §§ 2510 et seq.), applicable state computer crime statutes, and all other applicable laws and regulations.
23. Do not use automated scanners without prior authorization. You must not use automated vulnerability scanners, crawlers, fuzzers, or other automated tools against Hema AI production systems without Hema AI's prior written authorization. Unauthorized automated scanning that disrupts or degrades Hema AI's services will be treated as an out-of-scope activity and will not be protected by the safe harbor provision in Section 8.
6. Hema AI's Commitments
In exchange for your good-faith compliance with this Policy, Hema AI commits to the following:
24. Timely Acknowledgment. Hema AI will use commercially reasonable efforts to acknowledge receipt of your report within five (5) U.S. business days of submission.
25. Good-Faith Investigation. Hema AI will investigate all in-scope reports submitted in accordance with this Policy in good faith and within a reasonable time, taking into account the complexity and severity of the reported issue.
26. Status Updates. Hema AI will use commercially reasonable efforts to provide you with periodic updates on the status of your report, including when the issue has been confirmed, when a fix has been developed, and when the fix has been deployed.
27. Confidential Handling. Hema AI will handle your report with appropriate confidentiality and will not share your personal information with third parties without your consent, except as required by applicable law or as necessary to investigate and remediate the reported vulnerability.
28. Safe Harbor. Hema AI will extend safe harbor protections to researchers who comply with this Policy, as set forth in Section 8.
29. No Retaliation. Hema AI will not pursue legal action against any individual who identifies and reports a potential security vulnerability in good faith and in compliance with all requirements of this Policy.
7. No Commitment to Compensation
7.1 No Bug Bounty Program. Hema AI does not currently operate a formal bug bounty program and is under no obligation to provide any monetary compensation, reward, gift, credit, or other benefit to any individual who reports a security vulnerability under this Policy.
7.2 Discretionary Recognition. Hema AI may, in its sole and absolute discretion, choose to recognize or reward certain valid, high-impact, and well-documented reports. Any decision whether to provide recognition or compensation, the form of such recognition or compensation, and the amount thereof, is made entirely at Hema AI's discretion and shall not be construed as creating any obligation on Hema AI's part with respect to any future reports.
7.3 No Promise Created. Nothing in this Policy, and no communication by Hema AI in connection with the review or investigation of a report, shall be construed as a promise, representation, or commitment to provide any form of compensation or reward.
8. Safe Harbor
| Safe Harbor: If you make a good-faith effort to identify and report a suspected security vulnerability in compliance with all requirements of this Policy, Hema AI will not initiate, support, or encourage legal action against you based solely on your participation in this process, subject to the conditions set forth below. |
|---|
8.1 Conditions for Safe Harbor. Safe harbor protections apply only if your activities satisfy all of the following conditions:
30. your activities are limited exclusively to systems and assets identified as in scope under Section 2 of this Policy;
31. your activities comply in full with the researcher expectations and conduct requirements set forth in Section 5 of this Policy;
32. you do not access, use, modify, disclose, transmit, or retain any data that does not belong to you;
33. you do not disrupt, degrade, impair, or interfere with the availability, performance, or integrity of any Hema AI system, service, or infrastructure;
34. you report the vulnerability promptly and privately to Hema AI at security@tryhema.com before making any public disclosure; and
35. your activities comply with all applicable federal and state laws, including the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and applicable state computer crime statutes.
8.2 Limitations of Safe Harbor. The safe harbor provided under this Policy does not apply to:
36. any conduct that falls outside the scope of this Policy, including out-of-scope activities as defined in Sections 2 and 3;
37. any conduct that causes harm, damage, or loss to Hema AI, its customers, its employees, or any third party;
38. any unauthorized access to, modification of, or exfiltration of Hema AI data or customer data;
39. any activity targeting third-party systems, infrastructure, or data not owned or controlled by Hema AI;
40. violations of the Computer Fraud and Abuse Act or any other applicable federal or state law; or
41. activities conducted in bad faith or for any purpose other than legitimate security research.
| WARNING: The safe harbor under this Policy does not immunize you from civil or criminal liability for conduct that violates applicable law or that falls outside the scope of this Policy. Hema AI reserves all legal rights with respect to any such conduct. |
|---|
8.3 Third-Party Claims. The safe harbor provided by Hema AI under this Policy covers only Hema AI's own potential legal claims against you. It does not extend to claims that may be brought by third parties (including other users of the Services, third-party service providers, or governmental authorities) in connection with your activities.
9. Public Disclosure
9.1 Coordinated Disclosure. Hema AI strongly encourages coordinated vulnerability disclosure. We ask that you refrain from publicly disclosing, publishing, or otherwise communicating the details of a suspected or confirmed vulnerability until Hema AI has had a reasonable opportunity to investigate, remediate, and deploy a fix for the issue.
9.2 Standard Disclosure Timeline. As a general guideline, Hema AI requests a minimum of ninety (90) calendar days from the date of your initial report before any public disclosure of the vulnerability. For particularly complex or critical vulnerabilities, Hema AI may request an extension of this period, which we will discuss with you in good faith. Where a vulnerability is already being actively exploited in the wild, Hema AI may accelerate its remediation timeline and coordinate with you on appropriate public disclosure.
9.3 Mutual Agreement. Hema AI will work in good faith with reporters to agree on an appropriate public disclosure timeline and format. Hema AI will credit reporters by name (or by handle, if preferred) in any public security advisory or acknowledgment related to their report, unless the reporter requests anonymity.
9.4 Unauthorized Disclosure. Premature or unauthorized public disclosure of a vulnerability before Hema AI has had a reasonable opportunity to remediate the issue may void safe harbor protections under Section 8 and may expose the reporter to legal liability. Hema AI reserves all rights with respect to unauthorized disclosures that harm Hema AI or its customers.
10. Reservation of Rights
Hema AI reserves the right to make all final determinations, in its sole discretion, regarding:
42. whether a reported issue constitutes a genuine security vulnerability within the meaning of this Policy;
43. the severity classification and priority of any confirmed vulnerability;
44. whether a report falls within the scope of this Policy;
45. what remediation actions, if any, Hema AI will take in response to a report, and the timeline for such actions;
46. whether safe harbor protections apply to any particular reporter or report;
47. whether any recognition, compensation, or reward will be offered, and in what form and amount; and
48. whether any modifications to this Policy are appropriate and when such modifications will take effect.
These determinations are made by Hema AI in good faith and are final. Nothing in this Policy creates any obligation on Hema AI to accept, investigate, respond to, or act upon any report, or to provide any particular form of remedy or recognition.
11. Legal and Regulatory Compliance
11.1 Governing Law. This Policy is governed by and shall be construed in accordance with the laws of the State of Delaware and applicable federal laws of the United States of America, without regard to any conflict-of-laws principles that would require the application of the laws of another jurisdiction.
11.2 CFAA Compliance. All security research activities conducted in connection with this Policy must comply with the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030) and all other applicable federal and state computer crime statutes. This Policy does not authorize any activity that would violate the CFAA or any other applicable law, and no provision of this Policy shall be construed as such authorization.
11.3 Export Controls. Submission of vulnerability reports and any associated proof-of-concept materials must comply with all applicable U.S. export control laws and regulations, including the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). You represent and warrant that any materials submitted in connection with a vulnerability report do not constitute export-controlled items requiring a license for transmission to U.S. persons.
11.4 Amendments. Hema AI reserves the right to update or modify this Policy at any time. Updated versions will be posted at www.tryhema.com/legal/vulnerability-reporting. Your continued participation in vulnerability reporting activities after an update constitutes your acceptance of the updated Policy.
12. Contact
All vulnerability reports and questions regarding this Policy should be directed to Hema AI's dedicated security team at:
Hema AI Inc.
Security Team
131 Continental Dr, Suite 305
Newark, Delaware 19713, United States of America
Security Reports: security@tryhema.com
General Inquiries: info@tryhema.com
Website: www.tryhema.com
| This Security Vulnerability Reporting Policy was adopted by Hema AI Inc., a Delaware corporation, effective June 13, 2026. Delaware File Number: 10586210. Registered Office: 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States of America. |
|---|
* * *
Hema AI Inc. | 131 Continental Dr, Suite 305, Newark, Delaware 19713 | security@tryhema.com | www.tryhema.com