Skip to content

Security

Security disclosure policy

Effective 2026-05-04. We rely on the security research community to keep HelloHR safe. This page explains how to report findings, what's in scope, and what to expect from us.

How to report

Email security@hellovelora.com with:

  • A description of the vulnerability.
  • The affected URL or endpoint.
  • Reproduction steps a developer can follow.
  • The impact you believe it has.
  • If you used a test account, the email address you signed up with so we can correlate the report with our logs.

For sensitive findings, request our PGP public key in your first message and we'll respond with the fingerprint over a separate channel.

Safe harbor

We commit to:

  • Not pursue legal action against you for security research conducted in good faith following this policy.
  • Treat your research as authorized under the Computer Fraud and Abuse Act and similar state statutes.
  • Work with you to understand and resolve the issue quickly.
  • Acknowledge your contribution in our public hall-of-fame (with your permission) once the issue is fixed.

In return we ask that you:

  • Do not access, modify, or download data that doesn't belong to you. Stop at the proof-of-concept and report.
  • Do not run automated scanners that generate substantial load. If you need to run one, email us first.
  • Do not perform DoS / DDoS testing, social engineering of employees, or physical attacks on infrastructure.
  • Do not publicly disclose the vulnerability until we've had a reasonable opportunity to remediate (typically 90 days, or immediately on coordination if a fix lands sooner).

Scope

In scope:

  • hellohr-two.vercel.app and production custom domains belonging to Velora customers.
  • HelloHR's first-party API endpoints under /api/.
  • The SCIM provisioning surface under /scim/v2/.

Out of scope:

  • Third-party services we depend on (Vercel, Neon, Anthropic, ElevenLabs, Vapi, Sentry, Resend, Stripe). Report directly to the vendor.
  • Issues that require root or physical access to a victim's device.
  • Lack of email DNS records (SPF / DMARC) on staging domains.
  • Reports generated solely by automated scanners with no exploitable proof-of-concept.

Response SLA

We acknowledge new reports within 2 business days, triage and respond with a severity assessment within 5 business days, and aim to remediate critical issues within 30 days, high within 60 days, medium within 90 days, low at our discretion. Coordinated disclosure timelines are negotiated case-by-case.

Acknowledgments

Researchers who responsibly disclose vulnerabilities are acknowledged here once a fix has been deployed (with their permission to be named). Thank you to:

No public acknowledgments yet — be the first.