Welcome to
Rezo's AI Armor
Welcome to Rezo's Data-First Contact Center, where we harness the power of advanced AI and autonomous agents to enhance our digital ecosystem. Join us in building a smarter, more efficient future.
Welcome to
.png)
What is a VDP?
A Vulnerability Disclosure Program (VDP) is a process that allows individuals to report security flaws or weaknesses they discover in a company’s systems. It provides guidelines for reporting these vulnerabilities, enabling the company to address them quickly and maintain system security. This program helps protect both the company and its customers by preventing potential cyberattacks.
Implementing a VDP helps to:
Efficiently Reduce Risk
Quickly identify and fix security vulnerabilities to minimize potential threats
.png){kind=small}
Enhance Security Capabilities
Improve and expand the organization's ability to manage and respond to security issues
.png){kind=small}
Protect the Brand
Maintain and strengthen trust and reputation by ensuring systems are secure and reliable.
Who Can Report to VDP?
Developers, researchers, security professionals and others interested in enhancing cybersecurity can report vulnerabilities.
How to Report
To report a vulnerability, please email us at security@rezo.ai with a comprehensive description, steps to reproduce, impact assessment, and any pertinent screenshots or documentation. Your contribution is invaluable in enhancing our security.
Acknowledgment
When you report a vulnerability in the critical sector, you become part of the Rezo.ai’s extended family. We will acknowledge your contribution appropriately. If you prefer to remain anonymous, we will respect your privacy. Participate in our VDP and help us work together to make India cybersafe.
Confidentiality and Reporting Guidelines for Rezo.ai
At Rezo.ai, we are committed to maintaining the highest level of confidentiality. You must not publicly disclose any information about security vulnerabilities without written consent from Rezo.ai.
Submission and Response Time
Due to the high volume of submissions, processing your report may take some time. We are committed to acknowledging and responding to all emails and reports within 7-10 working days. We take these reports seriously and appreciate your efforts in helping us maintain the security of our systems.
Report Evaluation
The originality, quality and content of your report will be evaluated during the processing of the submission. Please ensure that your report clearly explains the impact and exploitability of the issue, along with a detailed proof of concept.
Supporting Materials
Ensure that any supporting materials, such as proof of concept videos and images, and data belonging to Rezo and its customers are not uploaded to any third-party website(s).
Additional Information
You must provide additional information if requested. Failure to do so may result in the invalidation of your submission.
Respect for Existing Applications
Show respect for Rezo.ai's existing applications and refrain from running any test cases that may disrupt our services.
Security and Privacy
To protect Rezo.ai's sensitive data and the privacy of other users, researchers should demonstrate impact in a secure manner. Cease testing and notify us immediately if you discover any exposure of non-public or Personally Identifiable Information (PII) data.
Researchers must purge any stored non-public or PII data of the organization upon reporting a vulnerability.
If you are unable to determine the impact without possibly accessing sensitive or production data, please let us know so we can investigate the matter on your behalf.
Researchers must purge any stored non-public or PII data of the organization upon reporting a vulnerability.
If you are unable to determine the impact without possibly accessing sensitive or production data, please let us know so we can investigate the matter on your behalf.
Automated Tools
Do not use any automated tools or scripts to brute force or flood our applications, as they can be disruptive or cause systems to misbehave. Doing so will render your submission invalid and result in complete disqualification from similar programs by Rezo.ai.
Non-Disclosure
Even after a vulnerability has been fixed, do not publicly disclose any information or data related to the discovered or reported vulnerabilities.
Rewards and Recognition
While we don't offer monetary rewards, we do have a special subroutine for our cyber guardians. The Hall of Fame awaits those who help enhance our AI defenses! Your digital signature could be immortalized in Rezo's machine learning models, based on the impact of your discovery.
In-Scope Targets
Our AI Armor are focused on securing these key areas:
Central Data Hub: my.rezo.ai
Autonomous Conversation Matrix:
az-converse.rezo.ai
These are the primary nodes where your expertise can help us strengthen our AI defenses
Out-of-Scope Targets
All other assets, domains and subdomains not listed as in-scope targets are out of scope. We apologize for any inconvenience and appreciate your understanding.
Focus Areas
We encourage researchers to focus on the following areas:
● Exfiltration of Sensitive or Personal Data: Use only your own accounts for testing data exfiltration; do not test on actual customer data.
● Business Logic Flaws: Identify weaknesses in the system’s business processes.
● Remote Code Execution: Check for vulnerabilities that allow unauthorized code execution.
● SQL and Command Injection: Test for vulnerabilities where malicious code can be injected into the system.
● Authentication Bypass: Discover methods to bypass authentication mechanisms.
● Cross Site Scripting (XSS): Look for opportunities to inject malicious scripts.
● Cross Site Request Forgery (CSRF): Test for unauthorized actions that can be performed on behalf of a user.
● Insecure Direct Object References: Check for vulnerabilities that expose internal objects.
● Privilege Escalation: Identify ways to gain unauthorized access to higher privileges.
● Exfiltration of Sensitive or Personal Data: Use only your own accounts for testing data exfiltration; do not test on actual customer data.
● Business Logic Flaws: Identify weaknesses in the system’s business processes.
● Remote Code Execution: Check for vulnerabilities that allow unauthorized code execution.
● SQL and Command Injection: Test for vulnerabilities where malicious code can be injected into the system.
● Authentication Bypass: Discover methods to bypass authentication mechanisms.
● Cross Site Scripting (XSS): Look for opportunities to inject malicious scripts.
● Cross Site Request Forgery (CSRF): Test for unauthorized actions that can be performed on behalf of a user.
● Insecure Direct Object References: Check for vulnerabilities that expose internal objects.
● Privilege Escalation: Identify ways to gain unauthorized access to higher privileges.
Excluded Scenarios
While we appreciate your processing power, some data packets are filtered or considered low-priority in our AI architecture and excluded from rewards:
● Clickjacking on non-sensitive action interfaces (Our UI has quantum encryption!)
● CSRF on unauthenticated data streams (Our input validation is already self-aware)
● Known vulnerable libraries without PoC (Our patch management AI is on it)
● CSV injection without demonstrated risk (Our data parsers laugh at mere commas)
● SSL/TLS best practices (Our encryption algorithms are bleeding-edge)
● DoS / DDoS activities (Our load balancers are sentient - don't annoy them!)
● Content spoofing without HTML/CSS modification (Our content is AI-generated and verified)
● Non-auth endpoint rate limiting (Our API gateways have machine learning rate control)
● CSP best practices (Our content security AI is always learning)
● Cookie flag issues (Our cookies are quantum-entangled for security)
● Email config best practices (Our communication protocols are post-singularity)
● Version disclosure (Our versioning is dynamic and AI-managed)
● Tabnabbing (Our UX is too intelligent for such tricks)
● Open redirects without security impact (All our neural pathways are secure)
● Social engineering vulnerabilities (Our AI agents are too smart to be fooled!)
● Subdomain Takeover (We know the list already)
● Physical Testing (Our AI don’t like to meet anyone)
● Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM/DMARC, etc.)
● Internal IP address disclosure. (Internal, Let it be an Internal only)
● Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality. (Our AI don’t like to store someone else’s passwords)
● Self-XSS. (Our AI don’t like self attack)
Thank you for joining our hive mind in our quest to build the most secure, intelligent, and efficient Data-First Contact Center in the digital universe! Together, we'll make Rezo an impenetrable fortress of artificial intelligence and human ingenuity.
● Clickjacking on non-sensitive action interfaces (Our UI has quantum encryption!)
● CSRF on unauthenticated data streams (Our input validation is already self-aware)
● Known vulnerable libraries without PoC (Our patch management AI is on it)
● CSV injection without demonstrated risk (Our data parsers laugh at mere commas)
● SSL/TLS best practices (Our encryption algorithms are bleeding-edge)
● DoS / DDoS activities (Our load balancers are sentient - don't annoy them!)
● Content spoofing without HTML/CSS modification (Our content is AI-generated and verified)
● Non-auth endpoint rate limiting (Our API gateways have machine learning rate control)
● CSP best practices (Our content security AI is always learning)
● Cookie flag issues (Our cookies are quantum-entangled for security)
● Email config best practices (Our communication protocols are post-singularity)
● Version disclosure (Our versioning is dynamic and AI-managed)
● Tabnabbing (Our UX is too intelligent for such tricks)
● Open redirects without security impact (All our neural pathways are secure)
● Social engineering vulnerabilities (Our AI agents are too smart to be fooled!)
● Subdomain Takeover (We know the list already)
● Physical Testing (Our AI don’t like to meet anyone)
● Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM/DMARC, etc.)
● Internal IP address disclosure. (Internal, Let it be an Internal only)
● Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality. (Our AI don’t like to store someone else’s passwords)
● Self-XSS. (Our AI don’t like self attack)
Thank you for joining our hive mind in our quest to build the most secure, intelligent, and efficient Data-First Contact Center in the digital universe! Together, we'll make Rezo an impenetrable fortress of artificial intelligence and human ingenuity.
