Top Builder AI
Security

Vulnerability Disclosure Policy

We take the security of Top Builder AI and our customers' data seriously. If you have found a vulnerability, we want to hear about it — and we commit to working with you in good faith. This page explains how to report, what is in scope, and what you can expect from us.

Report to

support@salisburybookkeeping.com
Machine-readable contact: /.well-known/security.txt

First response

We acknowledge reports within 3 business days and aim to validate within 10 business days.

01 How to report

Email support@salisburybookkeeping.com with enough detail for us to reproduce the issue:

  • A clear description of the vulnerability and its impact.
  • Step-by-step reproduction instructions, proof-of-concept, or a short screen recording.
  • The affected URL, endpoint, or component, and the date/time of your testing.

Please report promptly after discovery and keep the details confidential until we have had a reasonable chance to remediate. We do not currently run a paid bug-bounty program, but we genuinely appreciate responsible disclosure and will credit you publicly if you wish.

02 Scope

In scope:

  • topbuilderai.com and its subpages.
  • The Top Builder AI web application and API.
  • The Top Builder AI booking service.

Out of scope (please do not test these):

  • Third-party services we integrate with (ServiceTitan, Buildertrend, Procore, QuickBooks, Supabase, Google Cloud, Anthropic, ElevenLabs) — report those to the respective vendor.
  • Denial-of-service, volumetric, or load/stress testing; automated scanning that degrades the service.
  • Social engineering, phishing, or physical attacks against our staff, customers, or facilities.
  • Reports based solely on missing best-practice headers or theoretical issues without a demonstrated impact.

03 Rules of engagement

  • Only test against accounts and data you own or are explicitly authorized to use. Never access, modify, or exfiltrate another tenant's data.
  • Stop as soon as you have demonstrated a vulnerability; do not pivot, escalate, or maintain access.
  • Do not run automated tools that generate significant load.
  • Do not publicly disclose the issue until we confirm it is resolved or 90 days have passed and we have coordinated with you.

04 Safe harbor

Good-faith research is welcome. If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. If legal action is brought by a third party against you for activity that complied with this policy, we will make it known that your actions were authorized. This safe harbor does not apply to actions that violate the law or harm our customers.

05 What to expect from us

  • Acknowledgement within 3 business days of your report.
  • Validation and an initial severity assessment, typically within 10 business days.
  • Remediation prioritized by severity — critical issues are addressed as quickly as practicable.
  • Updates as we work the issue, and a notice when it is resolved.
  • Credit for the discovery if you would like to be named.

For a customer-affecting incident, we follow our internal incident-response process, including containment, assessment, and notification of affected customers and any required authorities.