Vulnerability Disclosure

Last Updated: Sep 2025

1. Introduction

Pragmatic Builders Ltd is dedicated to preserving data security by preventing unauthorised disclosure of information. This policy provides security researchers with instructions for conducting vulnerability discovery activities and guidance on how to report vulnerabilities.

It explains which systems and activities are covered, how to submit reports, and how long you must wait before publicly disclosing identified vulnerabilities.

2. Guidelines

We request that you:

a. Notify us as soon as possible after discovering a real or potential security issue.
b. Provide a reasonable amount of time for us to resolve the issue before you disclose it publicly.
c. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
d. Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to obtain data, establish command-line access, persistence, or pivot to other systems.
e. If you encounter sensitive data (including personal data, financial information, or trade secrets), stop testing immediately, notify us, and keep the data strictly confidential.
f. Avoid submitting a high volume of low-quality reports.

3. Authorisation

Security research conducted in accordance with this policy is deemed permissible. Pragmatic Builders Ltd will work with you to understand and fix the issue swiftly and will not suggest or pursue legal action in connection with your research.

4. Scope

This policy applies only to the following systems and services:

a. app.heyjamie.ai web application
b. Jamie WhatsApp & Email application

Any service not explicitly listed above (including related services) is out of scope and must not be tested. Vulnerabilities discovered in third-party solutions that Pragmatic Builders Ltd uses are not covered by this policy and should be reported directly to the vendor under their disclosure policy (if available).

If you are unsure whether a system or endpoint is in scope, contact vulnerabilities@heyjamie.ai before starting your research.

5. Types of testing not authorised

a. Network denial of service (DoS or DDoS) tests
b. Physical testing (e.g. office access, tailgating)
c. Social engineering (e.g. phishing, vishing)
d. Any other non-technical vulnerability testing

6. Reporting a vulnerability

To report a security flaw, send an email to security@heyjamie.ai or security@pragmatic.builders.

We will acknowledge receipt of your report the next business day and keep you updated on progress. Reports may be submitted anonymously.

7. Desirable information

When submitting a report, please include where possible:

a. Vulnerability description
b. Place of discovery
c. Potential impact
d. Steps required to reproduce the vulnerability (include scripts and screenshots if possible)

If possible, provide reports in English.

8. Our commitment

If you provide contact information, we commit to communicating with you transparently and in a timely manner.

  • We will acknowledge receipt of your report within three business days.

  • We will keep you informed on vulnerability confirmation and remediation progress.

  • We welcome discussion and will engage openly with you.