Vulnerability Disclosure Policy
Last updated: July 2026
HeyOtto is an AI platform for kids and teens. That makes security research on our systems more important — not less. If you've found a vulnerability, we want to hear from you, we'll treat you with respect, and we'll act on what you report.
This policy tells you how to report, what's in scope, and what you can expect from us.
How to report
Email security@heyotto.app.
Please include, where you can:
- A description of the vulnerability and where you found it (URL, endpoint, or app screen)
- Steps to reproduce it — a proof of concept, screenshots, or a short video all work
- The potential impact, as you understand it
- How you'd like to be credited, if we publish an acknowledgment (optional — anonymous reports are welcome)
You don't need a polished writeup. A clear email is enough.
If your report involves sensitive details, you may request our PGP key by email before sending specifics.
What to expect from us
- Acknowledgment within 3 business days. A human will confirm we received your report.
- An initial assessment within 10 business days. We'll tell you whether we've validated the issue and how we're prioritizing it.
- Updates as we work. We'll keep you informed of remediation progress on validated reports.
- Credit, if you want it. With your permission, we'll thank you by name (or handle) once the issue is resolved. If you prefer to stay anonymous, we'll honor that.
We ask that you give us a reasonable opportunity to remediate before disclosing publicly. We're a small team and we move quickly; if you believe we've gone quiet, reply to your thread and escalate — silence is never our intent.
Scope
In scope:
- heyotto.app and its subdomains
- The HeyOtto iOS and Android apps
- HeyOtto's APIs
Out of scope:
- Third-party services we use (report those to the vendor directly)
- Denial-of-service or load testing of any kind
- Spam, social engineering, or phishing of HeyOtto staff, users, or families
- Physical attacks against our people or property
- Automated scanning that degrades service for real users
- Reports about missing best-practice headers, SPF/DKIM/DMARC records, or clickjacking on pages with no sensitive actions, without a demonstrated impact
The rule that matters most: never involve real kids
HeyOtto's users are children, their families, and the schools and students we work with. Security research on our platform must never touch any of them.
- Do not test against real users' accounts. This includes family accounts and school or district accounts. Create your own test accounts and use those exclusively. Do not attempt to access, view, or interact with any account belonging to a real child, teen, parent, teacher, or student.
- If you inadvertently access someone else's data, stop immediately. This applies equally to family data and school/student data. Don't view more than the minimum needed to demonstrate the issue, don't save or copy it, and tell us in your report exactly what you encountered.
- Do not attempt to contact, message, or interact with minors through any feature of the platform — including classroom or school-facing features — in the course of your research.
- Do not exfiltrate data. Demonstrating that access is possible is sufficient; taking data — whether a family's or a school's — is not acceptable proof.
A report that demonstrates a vulnerability using researcher-created test accounts is a good report. A report that involved a real child's account, or a real school's or student's data — even with good intentions — is a line we ask you never to cross.
Safe harbor
We consider security research conducted in good faith and in accordance with this policy to be authorized. Specifically, if you make a good-faith effort to comply with this policy:
- We will not initiate or support legal action against you for your research
- We will not report your research to law enforcement as a violation
- We consider your research authorized under applicable anti-hacking and anti-circumvention laws, including the Computer Fraud and Abuse Act and DMCA, to the extent your activities are consistent with this policy
- If a third party initiates legal action against you for research conducted in accordance with this policy, we will make it known that your actions were authorized
Good faith means: you avoid privacy violations and service disruption, you don't access more data than necessary to demonstrate the issue, you never involve real users' accounts, and you report promptly rather than exploiting or publicizing what you find.
If you're ever unsure whether your intended testing is within this policy, email security@heyotto.app and ask first. We'd much rather answer a question than handle an incident.
No bounty — yet
We do not currently operate a paid bug bounty program. We offer our sincere thanks, public credit if you'd like it, and a commitment to fix what you find. As we grow, we expect to formalize rewards for researchers who help keep families safe on our platform.
BerryWell, LLC (d/b/a HeyOtto) · Atlanta, GA
Questions about this policy: security@heyotto.app
