Vulnerability Disclosure Policy (VDP)

Our Commitment

Plaud AI designs and manufactures AI-powered recording devices and services. We take the security of our products and the privacy of our users seriously.

We welcome reports from security researchers, customers, and members of the public who identify potential security vulnerabilities in our products or services. Responsible disclosure helps us protect our users and improve the security of our products for everyone.

Scope

This policy applies to security vulnerabilities in:

  • Plaud hardware devices (Plaud Note, Plaud Note Pro, Plaud NotePin, Plaud NotePin S)
  • Plaud mobile applications (iOS and Android)
  • Plaud desktop client
  • Plaud web application and supporting services

How to Report

To report a security vulnerability, please contact us at:

Email: security@plaud.ai

You may encrypt your report using our PGP public key, available at:

https://plaud.ai/.well-known/pgp-key.asc

Key fingerprint: F48B 4287 424A 2930 7100 A007 7CAA 7431 D3C9 FD03

Please include:

  • A description of the vulnerability and the affected product or service
  • Steps to reproduce the issue
  • The potential impact as you assess it

You are not required to provide personal information to submit a report.

What to Expect

Once we receive your report:

  • We will acknowledge receipt of your report via email — we aim to do so within 5 business days.

  • We will follow up and provide updates on the progress of your report until the issue is resolved or a final determination has been made.

  • We aim to resolve reported vulnerabilities in a timely manner. All reported vulnerabilities are scored according to the Common Vulnerability Scoring System (CVSS 3.1). Our target remediation timelines by severity are:

    • High (CVSS 7.0–8.9): 30 days
    • Medium (CVSS 4.0–6.9): 90 days
    • Low (CVSS < 4.0): 180 days
    • Critical (CVSS ≥ 9.0): 7 days

    Actual timelines may vary depending on the nature and complexity of the issue.

Our Commitments to You

  • We will handle your report confidentially and will not share your contact information without your consent, unless required by law.
  • We will not require you to sign a non-disclosure agreement as a condition of receiving your report.
  • We will keep you informed of progress on your report.

Responsible Disclosure Guidelines

To help us protect our users while we work to address reported issues, we ask that you:

  • Report vulnerabilities to us privately before any public disclosure
  • Allow us reasonable time to investigate and address the issue
  • Avoid accessing or modifying data belonging to other users
  • Limit testing to your own accounts and devices

Out of Scope

The following are generally outside the scope of this policy:

  • Vulnerabilities in third-party services not directly under Plaud's control
  • Social engineering or phishing attacks
  • Denial-of-service attacks
  • Physical attacks requiring hands-on access to Plaud facilities or personnel

Acknowledgements

We maintain a public Hall of Fame to recognize researchers who have responsibly disclosed valid security vulnerabilities. With your explicit consent, your name or handle will be listed at:

https://plaud.ai/.well-known/hall-of-fame.txt

Listing is opt-in and only applies to confirmed, resolved vulnerabilities.

Legal

This policy is intended to give security researchers and the public clear guidance on how to report security concerns to Plaud AI. It does not create any contractual obligation. Plaud AI reserves the right to update this policy at any time.

Contact: security@plaud.ai

Website: https://plaud.ai

This policy is provided in English, is freely accessible without prior request, and does not require submission of personal information.

Last updated: June 23, 2026