Good News: Since Aido doesn't store user data on servers, a traditional "data breach" is highly unlikely. However, we have a plan for app vulnerabilities and security issues.
Types of Incidents We Monitor
| Incident Type | Likelihood | Impact |
|---|---|---|
| App Vulnerability (Code exploit, injection attack) |
Possible | Could affect individual users |
| Dependency Vulnerability (Third-party library flaw) |
Possible | Depends on the library |
| API Key Exposure (If user's key is compromised) |
Possible | User's AI provider account |
| Server Data Breach (Traditional breach) |
Very Low | None (we don't store data) |
Response Timeline
Phase 1: Report Received (0-48 hours)
- Acknowledge: Send confirmation email to reporter within 48 hours
- Triage: Assess severity (Critical, High, Medium, Low)
- Classify: Determine if it's a security issue, bug, or feature request
Phase 2: Investigation (2-7 days)
- Reproduce: Verify the issue in a test environment
- Analyze: Determine root cause and potential impact
- Scope: Identify affected versions and users
- Update Reporter: Provide status update
Phase 3: Remediation (7-30 days)
- Develop Fix: Create and test a patch
- Critical Issues: Expedite to 7-14 days
- Non-Critical: Include in next planned release
- Testing: Verify fix doesn't introduce new issues
Phase 4: Release & Notification (30-45 days)
- Release Update: Push to Google Play Store
- Notify Users: Via Play Store release notes and in-app announcement (for critical issues)
- Update Transparency Center: Document the issue in changelog
- Credit Reporter: Acknowledge security researchers (if they wish)
User Notification Policy
Critical Issues (Immediate Notification)
We will send immediate notifications via:
- Google Play Store emergency update
- In-app alert on next launch
- Transparency Center homepage announcement
Examples: Data encryption vulnerability, remote code execution, API key leakage
High Issues (Release Notes)
Documented in Play Store release notes and changelog
Examples: Accessibility Service bypass, permission escalation
Medium/Low Issues (Changelog Only)
Documented in Transparency Center changelog
Examples: Minor UI bugs, non-security related crashes
Emergency Response
If a Critical Vulnerability is Discovered
- Immediate Action: Begin developing a fix within 24 hours
- Temporary Mitigation: If possible, push a hotfix that disables the vulnerable feature
- Public Disclosure: Announce the issue on the Transparency Center homepage
- User Guidance: Provide instructions for affected users (e.g., "Disable Accessibility Service until Update 1.2.1")
- Expedited Release: Submit emergency update to Google Play
Reporting a Security Issue
How to Report
Email: aiqknow@gmail.com
Subject Line: "SECURITY: [Brief Description]"
Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Affected versions (if known)
- Impact assessment
- Your name/handle (if you want credit)
Please do NOT: Publicly disclose the issue before we've had a chance to fix it (responsible disclosure)
Bug Bounty & Hall of Fame
We actively invite security researchers to test Aido. While we are a small team and cannot currently offer monetary bounties, we provide:
- Public Recognition: Permanent listing in our Hall of Fame below
- Direct Access: Fast-track communication with lead developers
- Recommendation: Verified letter of thanks for your portfolio
🏆 Security Hall of Fame
We gratefully acknowledge the following researchers for their responsible disclosure:
No contributions yet. Be the first!
Post-Incident Review
After every security incident, we conduct a review to:
- Document what happened and how it was resolved
- Identify preventative measures for similar future issues
- Update our security practices and code review processes
- Share learnings (if appropriate) in our Transparency Center
Zero Incidents So Far
As of January 2026, Aido has not experienced any security incidents or data breaches. We are committed to maintaining this record through vigilant security practices and transparent communication.