Vulnerability Disclosure Program
AI21 Labs encourages researchers to share with our team the details of any suspected vulnerability by submitting the form below. By clicking "Report Vulnerability", you acknowledge you have read, understood, and that you agree to the guidelines described in this Vulnerability Disclosure Policy (the “Policy”) for the conduct of security research and disclosure of potential vulnerabilities. AI21 Labs will not take legal action against individuals who discover and report vulnerabilities provided they adhere to these guidelines.
Vulnerability Disclosure Process
Once you locate a vulnerability, please report it to our security team by clicking “Report Vulnerability”. In your report, please include a detailed explanation of how the vulnerability was found including reproducible steps, and clear evidence (such as screenshots, video, or command lines). If several vulnerabilities were found, please report them separately, – unless a chain of vulnerabilities is required to exploit a certain vulnerability, in which case please include all relevant vulnerabilities in the same report, with a clear and detailed process. While we do not ask for your identification, we do ask that you provide us with a way of reaching out to you – preferably via email.
Once your report has been submitted, If needed, they may request additional information, or clarifications. When the investigation process of the reported vulnerability has concluded, AI21 Labs’ security team will reach out and communicate any appropriate information and details on the investigation and vulnerability back to you, and to any other relevant parties.
Any information you receive or collect about AI21 Labs, its clients, or their employees during the discovery of a suspected vulnerability must be kept confidential and only used in connection with the Policy. You may not use, disclose, or distribute any such confidential information, including, but not limited to, information regarding your submission and information you obtain when researching AI21 Labs sites, without prior written consent from AI21 Labs.
Prohibited Activities
While we encourage you to report any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Executing, or attempting to execute, a Denial of Service (DoS) attack against any product or website;
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software or ransomware;
- Any act of cyber extortion, including threatening the availability of AI21 Labs data or AI21 Labs client data unless a payment is received;
- Social engineering of any AI21 Labs employee, contractor, client, or prospective client including but not limited to phishing and any testing that would result in unsolicited email, spam, or messages;
- Unapproved vulnerability or penetration testing;
- Selling, bartering, or otherwise benefitting from a vulnerability or data that does not belong to you;
- Downloading, exfiltrating, copying, or otherwise retaining AI21 Labs data or AI21 Labs client data that does not belong to you;
- Deliberately destroying, corrupting, or modifying, or attempting to destroy, corrupt or modify data or information that does not belong to you;
Please note that if data that does not belong to you is uncovered as the result of a vulnerability, it must be removed from unapproved systems and further attempts to exploit it must be ceased immediately.
Legal
Please be reminded that you must comply with all applicable laws and regulations (either federal, state, or other local legislation) in connection with your security research activities or other participation in this vulnerability disclosure program. AI21 Labs does not authorize, permit, or otherwise allow (whether expressly or impliedly) any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that involves its systems, applications, websites, software or code, that is inconsistent with this Policy or the law. If you engage in any activities that are inconsistent with this Policy or the law, you may be subject to criminal and/or civil liabilities.