Vulnerability Disclosure Policy

Security Policy | Version 2.0 | Effective Date: January 1, 2025

We take the security of our systems and users seriously. If you believe you have discovered a security vulnerability in any of our products or services, we encourage you to disclose it to us responsibly. This policy outlines the process for doing so, our commitments to you as a reporter, and the boundaries of acceptable research conduct.

1.  Scope

This policy applies to security vulnerabilities affecting systems, services, and products directly operated by our organization. It does not extend to third-party services, infrastructure, or platforms we do not control.

2.  How to report a vulnerability

Please submit your report to our security team at the address below, including as much of the following information as possible:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept code, screenshots, or supporting materials (if available)
  • Any relevant system or environment details

Security Contact:  security@vicarius.io

3.  Our commitments

Upon receiving your report, we commit to the following:

  • We will acknowledge receipt of your report in a timely manner
  • We will investigate all credible submissions thoroughly and in good faith
  • We will keep you informed of our progress where appropriate
  • We may contact you for clarification or additional information
  • We will work to remediate confirmed vulnerabilities promptly

4.  Responsible disclosure guidelines

We ask that all researchers conducting security testing adhere to the following standards:

  • Only test against systems and accounts you are authorized to access
  • Limit your testing to what is strictly necessary to demonstrate the vulnerability — do not exploit it further
  • Do not access, modify, copy, exfiltrate, or delete data belonging to other users
  • Do not perform actions that could degrade, disrupt, or damage our services or infrastructure
  • Keep all findings strictly confidential until we have had a reasonable opportunity to investigate and remediate the issue

Reports that do not comply with these guidelines may not be eligible for recognition and may result in the withdrawal of safe harbor protections.

5.  Recognition & rewards

We do not currently operate a formal bug bounty program and are unable to guarantee financial compensation for reported vulnerabilities. However, we evaluate every valid submission individually. For significant, well-documented findings, we may — at our sole discretion — offer recognition or a goodwill reward to the reporting researcher.

6.  Safe harbor

We will not pursue legal action against individuals who discover and report security vulnerabilities in good faith, provided they act in accordance with this policy. We consider responsible security research a legitimate and valuable contribution to our overall security posture.

This safe harbor applies solely to research conducted within the scope and guidelines defined by this policy. Activities outside this scope do not benefit from these protections.

This document is subject to periodic review. For questions regarding this policy, contact security@vicarius.io

Vicarius Logo
GDPR badge SOC for service organizations
Copyright © Vicarius. All rights reserved 2024.
Linkedin
X
Youtube
Instagram
Privacy Policyterms of use

Request a demo!