Security

Responsible disclosure program.

We take security reports from external researchers seriously. If you've found a vulnerability in Aria, here's how to report it — and what we promise in return.

Book a Demo →See How It Works
Safe harbor commitment. Aria Dental AI will not pursue legal action against good-faith security researchers who follow this program's guidelines. We define "good faith" as: making a reasonable effort to avoid privacy violations, data destruction, and service disruption; reporting vulnerabilities promptly; not exploiting vulnerabilities beyond what is necessary to demonstrate the issue; and giving us reasonable time to respond before public disclosure. If you act in good faith, we have your back.
What's in scope

Assets and report categories we want.

If you find a real, exploitable security issue in any of the following, we want to hear about it. Reports outside this scope are still welcome but may receive lower priority.

Production web properties

ariadental.ai, www.ariadental.ai, app.ariadental.ai (when launched). Not the marketing site's third-party scripts (GTM, Clarity, GA4) — those are out of scope and reportable directly to those vendors.

Production API endpoints

aria-backend-production-8458.up.railway.app and any API endpoint that serves authenticated practice data. Includes voice/chat tool endpoints, admin endpoints, and webhooks.

Authentication & authorization issues

Account takeover, privilege escalation, broken authentication, broken access control, multi-tenant data leakage. We care a lot about these.

Injection attacks

SQL injection, command injection, server-side request forgery, XML external entity (XXE), template injection. Particularly anywhere PHI flows.

Cryptographic issues

Weak crypto, key management flaws, secrets in source, IDOR with PHI, broken encryption at rest or in transit.

Business logic flaws affecting PHI

Anything that lets a user access PHI they shouldn't, modify another tenant's data, or bypass the admin/practice/patient access boundary.

Reporting process

How to send us a report.

Email security@ariadental.ai with the subject line [Security Report] <short summary>. Include: a clear description of the vulnerability, reproduction steps, impact assessment, and any proof-of-concept code or screenshots (with PHI redacted).

GPG encryption — for sensitive reports, our PGP key is available on request. Email security@ with subject [GPG Key Request]; we send the key over a separate channel and you can encrypt your follow-up.

Response SLA — we acknowledge new reports within 2 business days. Initial triage and severity assignment within 5 business days. Mitigation timeline depends on severity; critical issues are typically resolved within 14 days, high within 30, medium within 60, low within 90.

Coordinated disclosure — we ask for at least 90 days between report and any public write-up, so we can ship the fix and notify affected customers if applicable. We'll coordinate with you on disclosure timing and credit.

What's NOT in scope

Reports we will deprioritize or close.

These reports won't get safe harbor treatment in the way real vulnerabilities do, and may not get a substantive response. We list them so you don't waste your time.

Denial of service / volumetric attacks

DDoS, slowloris, application-layer DoS via volume. We have rate limiting and DDoS protection — please don't try to overwhelm the service to demonstrate this.

Social engineering

Phishing our employees, calling our support team, or otherwise manipulating humans into giving you access. Hard no — both ethically and legally.

Physical access attacks

Anything requiring physical access to our offices or hardware.

Self-XSS, missing security headers without exploit, clickjacking on non-sensitive pages

Reports that aren't actually exploitable in our environment, even if a header check tool flags them.

Issues in third-party services (GTM, Clarity, GA4, Twilio, Stripe)

Report directly to those vendors. We'll coordinate if it affects our customers.

Best-practice 'configuration' suggestions without an exploit

Things like 'you should rotate keys quarterly' are appreciated as feedback, but they don't qualify as vulnerabilities.

Bug bounty status

Currently no monetary bounty.

Aria does not currently run a paid bug bounty program. We may add one in 2027 once our security team scales and we've established a track record of timely fixes. In the meantime, we appreciate good-faith reports and will publicly credit researchers (with permission) on the hall of fame below.

If you've found a critical issue and submitted it through this program, we may issue a discretionary thank-you (Aria swag, conference ticket reimbursement, an honest LinkedIn recommendation, etc.). Not formal pay, but we recognize you spent your time.

Hall of fame

Researchers who've helped secure Aria.

When researchers submit valid reports through this program, we publicly credit them here (with their permission). We're a young company — this list is starting empty. We'd rather have an honest empty hall than a fabricated one.

No public researcher credits yet. We'd love to add you here.
Security

Found something? Let us know.

Email security@ariadental.ai with your finding. We acknowledge within 2 business days.

Book a Demo →Calculate Your ROI