Document ID: LCR-POL-SR-v1.0 · Effective Date: 29 June 2026
Havio takes reports about security vulnerabilities, abuse, and suspected incidents seriously. This policy explains how to report issues and what to expect.
1. What to Report
Please report:
- Suspected unauthorized access to Havio systems or customer data
- Vulnerabilities in Havio applications, APIs, public pages, or authentication flows
- Misconfigured public storage, exposed secrets, or sensitive data leaks
- Abuse of Havio voice agents, telephony, email, or integrations
- Phishing, impersonation, fraudulent calls, or prohibited use involving Havio
2. How to Report
Send security reports to security@havio.com. Production reliability issues that are not security concerns can be sent to support@havio.com or reported through the production issue guide.
For production call-routing problems that are not security issues, use Report a production issue and choose severity. For security concerns, keep the first message narrow and avoid sharing secrets or unnecessary caller data.
Include:
- A clear description of the issue
- Affected URL, route, account, call ID, or integration where applicable
- Steps to reproduce, screenshots, logs, timestamps, and impact assessment
- Your contact details for follow-up
- Whether live callers are currently affected
- Whether fallback routing, direct forwarding, or workflow pause has been activated
- Whether the report involves caller data, recordings, transcripts, credentials, or connected tools
Do not include unnecessary personal data, caller recordings, or secrets in the first report.
3. Severity Guide
| Severity | Examples | First action |
|---|---|---|
| Critical security | Suspected unauthorized access, exposed secrets, public caller data, active abuse of phone workflows | Contain exposure, preserve evidence, report immediately through the security or support path |
| High security | Vulnerability that could expose customer data, bypass access control, or abuse integrations | Provide reproduction steps, affected routes, timestamps, and potential impact |
| Production reliability | Live call answering, transfers, notifications, or integrations are failing without evidence of compromise | Use the production issue route and include affected phone number, workspace, time window, and fallback status |
| Low risk report | Documentation issue, minor configuration concern, suspected spam, or non-sensitive bug | Send enough detail for support to reproduce or route internally |
4. Coordinated Disclosure
Havio asks researchers and customers to:
- Avoid accessing, modifying, deleting, or exfiltrating data that is not yours
- Avoid disrupting service availability
- Avoid social engineering, spam, phishing, or physical attacks
- Give Havio reasonable time to investigate and remediate before public disclosure
Havio does not currently operate a public paid bug bounty program.
5. Incident Handling
When Havio confirms a security incident affecting customer data or service availability, Havio will assess scope, contain the issue, remediate, and notify affected customers according to applicable law and contract terms.
Notification timing and content depend on the nature of the incident, affected data, legal obligations, and customer agreement.
For customer-impacting incidents, the useful customer notice should normally explain what is affected, when it started, what data or workflow is involved, what workaround exists, and when the next update is expected where practical.
6. Abuse Response
Havio may suspend or limit workflows that appear to violate law, caller consent requirements, acceptable use rules, anti-spam rules, impersonation restrictions, or platform safety policies.
See the Acceptable Use Policy for prohibited uses.
Policy Changelog
| Version | Date | Summary |
|---|---|---|
| v1.0 | 2026-06-29 | Initial security response policy |