Vulnerability Disclosure Policy

Our Commitment

We are committed to working with security researchers and the broader community to identify and address security vulnerabilities. We appreciate the valuable role that the community plays in helping us ensure the security and privacy of our users.

Our goal is to foster a safe and secure environment by addressing potential vulnerabilities swiftly and transparently. We deeply value your contribution to enhancing the security of our platform.

We promise to:

• Acknowledge receipt of your vulnerability report within 3 business days
• Provide an estimated timeframe for addressing the vulnerability
• Notify you when the vulnerability is fixed
• Recognize your contribution if you wish (unless you prefer to remain anonymous)

Please note that while we greatly appreciate your efforts, we do not offer monetary rewards or payments for reported vulnerabilities. However, we are happy to recognize your work by adding your name to our Hall of Fame, showcasing your contribution to the security and safety of our platform.

We believe that collaboration with the security research community is key to maintaining a secure and trustworthy environment, and we are committed to supporting that process to the fullest.

Guidelines

When reporting vulnerabilities, please:

• Provide detailed reports with reproducible steps
• Include the version/build number of the affected software/service
• Submit your reports via the designated channels mentioned below
• Respect user privacy and avoid accessing any personal or sensitive data
• Give us a reasonable time to resolve the issue before any public disclosure
• Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
• Do not conduct denial of service (DoS), brute-force, or spam attacks
• Do not use automated scanners or tools that generate excessive traffic
• Do not engage in social engineering, phishing, or physical security testing

Scope

This policy covers publicly accessible VepDec digital properties and web services. The following domains are considered in-scope for security testing and responsible disclosure:

• Our marketing website:
  • vepdec.com
• Our employee portal (restricted access only):
  • tools.vepdec.com
• All web applications and services officially maintained by VepDec

The following classes of vulnerabilities are considered in scope when found in the above domains:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection (SQLi)
• Server-Side Request Forgery (SSRF)
• Authentication bypass
• Authorization issues (IDOR, privilege escalation)
• Business logic flaws with real impact
• Code injection
• Information disclosure (e.g., sensitive data exposure)
• Security misconfigurations
• Broken access control

Out of Scope

The following issues are considered informational or low-severity and are therefore out of scope for VepDec’s vulnerability reporting:

• Missing security headers (e.g., X-Frame-Options, Content-Security-Policy)
• Clickjacking on pages with no sensitive actions
• Autocomplete enabled on non-sensitive fields
• Server version banners or header disclosures
• HTTPS mixed content warnings
• Stack traces or debug messages without sensitive data
• HTTP OPTIONS method enabled
• Social engineering or phishing attacks
• Use of outdated libraries without a known exploit
• Self-XSS or issues requiring user-defined scripts
• Email spoofing (SPF/DMARC/DKIM misconfigurations)
• Open ports that do not expose sensitive services
• Reflected URL parameters without security impact
• Cookies missing Secure or HttpOnly flags (unless leading to data exposure)
• CAPTCHA bypass with no practical impact
• Rate Limitings

How to Report a Vulnerability

Please send vulnerability reports to our security team via email. We encourage the use of encryption for sensitive reports.