GenioPrep processes personal data including resumes, voice recordings, and payment information on behalf of job seekers worldwide. We take the security of this data seriously. If you discover a vulnerability in any GenioPrep system, we want to hear from you.
This policy describes how to report a vulnerability responsibly, what you can expect from us in return, and the boundaries of authorized research.
1. Scope
The following systems are in scope for responsible disclosure:
- thegenioprep.com and all its subdomains
- GenioPrep API endpoints (Netlify Functions at
/.netlify/functions/*) - Authentication, session management, and OTP flows
- Resume upload, storage, and processing pipeline
- Voice interview session handling and token issuance
- Payment intent creation and webhook verification
The following are out of scope. Please report these directly to the respective provider:
- Third-party services integrated by GenioPrep (Razorpay, OpenAI, Google OAuth, Netlify infrastructure, Cloudflare R2)
- Vulnerabilities in third-party open-source libraries (unless GenioPrep's specific usage creates the issue)
- Issues that require physical access to a user's device
- Social engineering of GenioPrep staff or users
- Denial of service, brute-force, or automated scanning attacks
- Issues affecting only outdated or unsupported browsers
2. How to Report
Send your report by email to security@thegenioprep.com with the subject line Security Vulnerability Report. We do not currently operate a bug bounty programme, but we do recognise researchers who report valid issues.
Please do not disclose the vulnerability publicly before we have had a reasonable opportunity to investigate and remediate it. We aim to resolve critical issues within 30 days and all other issues within 90 days of initial confirmation.
3. What to Include in Your Report
A complete report helps us reproduce and triage the issue quickly. Please include:
- A clear description of the vulnerability, including type (e.g. XSS, IDOR, broken authentication)
- The specific URL, endpoint, or component affected
- Step-by-step instructions to reproduce the issue
- The potential impact on users or GenioPrep data
- Screenshots, HTTP request/response captures, or a proof-of-concept (minimal exploitation only)
- Your name or handle, if you would like to be acknowledged
You do not need to exploit a vulnerability beyond what is necessary to demonstrate it exists. Do not access, exfiltrate, modify, or delete any user data as part of your research.
4. Our Commitments
When you report a vulnerability in good faith under this policy, GenioPrep commits to:
- Acknowledge receipt of your report within 3 business days
- Provide a triage decision and initial severity assessment within 10 business days
- Keep you informed of remediation progress at meaningful intervals
- Credit you by name or handle in our acknowledgements page (if you wish)
- Not pursue legal or civil action against you for research conducted in compliance with this policy
- Treat your contact information with confidentiality and not share it without your consent
5. Safe Harbor
GenioPrep authorises security research conducted in accordance with this policy. If you act in good faith, we consider your research to be authorised and will not refer the matter to law enforcement. We ask that you:
- Only test against accounts and data you own or have explicit permission to test
- Stop testing and contact us immediately if you encounter any real user data during your research
- Avoid disrupting GenioPrep services or degrading the experience for other users
- Not use automated scanners or load-testing tools without prior written permission
Safe harbor applies only to research that stays within the boundaries described in this policy. Conducting research outside these boundaries removes safe harbor protection.
6. What We Ask of You
To maintain a constructive and trustworthy relationship with security researchers:
- Give us a reasonable remediation window before public disclosure (we target 90 days for all issues)
- Do not use the vulnerability for personal gain, to harm users, or to gain access to data that is not yours
- Do not conduct social engineering, phishing, or physical security attacks
- Do not intentionally cause denial of service, data loss, or service interruption
- Coordinate with us if you plan to present or publish findings about GenioPrep security
7. Exclusions
The following categories of reports are generally not considered valid vulnerabilities and will be closed without remediation:
- Missing security headers (CSP, HSTS, X-Frame-Options) with no demonstrated exploitable impact
- SSL/TLS configuration issues without a working proof-of-concept exploit
- Cookie attribute issues (Secure, HttpOnly, SameSite) without a demonstrated attack chain
- Self-XSS or issues that require the attacker to already have compromised the victim's account
- Theoretical vulnerabilities with no practical exploit path
- Clickjacking on pages that do not perform authenticated actions
- Open redirects that do not lead to credential exposure or phishing
- Rate-limiting issues without demonstrated account takeover or data exposure risk
- Issues in end-of-life browsers or non-default browser configurations
8. Acknowledgements
We are grateful to the security community for helping keep GenioPrep safe. Researchers who report valid, in-scope vulnerabilities and follow this policy will be acknowledged here (with their permission). We are a small team and do not currently offer monetary rewards, but we are committed to treating every report with care and respect.
9. Contact
For all security reports, email security@thegenioprep.com with the subject line Security Vulnerability Report. For non-security enquiries, email support@thegenioprep.com or visit our contact page.
We do not accept reports via social media, public issue trackers, or third-party disclosure platforms at this time.