top of page

Anava Vulnerability Disclosure Policy (VDP)

Last Updated: October 31, 2025

# Anava Vulnerability Disclosure Policy (VDP)

Anava is committed to the security of our products and our customers. We welcome collaboration with independent security researchers who discover and report vulnerabilities in good faith.

This policy (VDP) explains how to report a vulnerability, what you can expect from us, and what we require from you.

### Safe Harbor

Anava will not initiate legal action or support any law enforcement investigation against a security researcher for "good faith" security research that complies with this policy. "Good faith" research means you:

* Do not violate the privacy of other users, disrupt services, or destroy data.
* Do not exfiltrate, modify, or store any Anava or user data you encounter.
* Stop testing and report immediately if you encounter any user data or sensitive information.
* Do not engage in social engineering, phishing, or physical attacks.
* Provide us with a reasonable amount of time to fix the issue before public disclosure.

### Scope

This policy applies to:
* The Anava ACAP application.
* The Anava public website (`anava.ai`).

**Out of Scope:**
* **The AXIS OS or camera firmware.** Please report these vulnerabilities directly to the **[Axis Communications Security Program](https://www.axis.com/support/cybersecurity/vulnerability-management)**.
* Third-party services we use (e.g., our email provider).
* Denial of Service (DoS or DDoS) attacks.
* "Spam" or other low-impact, non-security issues.

### How to Report a Vulnerability

Please send a detailed report to **security@anava.ai** with the following:

* A clear description of the vulnerability and its potential impact.
* Steps to reproduce the finding (e.g., screenshots, code, or a video).
* The product version and environment you were testing.

### What to Expect from Us

* We will provide an initial acknowledgment of your report within 3 business days.
* We will investigate the report and confirm the vulnerability.
* We will work to remediate the vulnerability in a timely manner.
* We will notify you when the fix is released.

**Rewards:**
We do not currently offer a monetary bug bounty program. However, we are happy to provide public acknowledgment and thanks to researchers who submit a valid, unique vulnerability.

bottom of page