Responsible Disclosure & Vulnerability Reporting Policy

Introduction

We are committed to the security and reliability of our products and the protection of our customers’ data. This policy describes how security researchers, customers, and third parties can safely and responsibly report potential security vulnerabilities or bugs. Our goal is to ensure issues are addressed promptly and in a manner that minimizes risk to all customers.

Scope

This policy applies to all production systems, services, software products, APIs, cloud components, and infrastructure operated by our company. Unless explicitly authorized, the following are out of scope:

Demo or sandbox environments
Test or development systems not exposed publicly
Systems operated by customers in self-managed deployments

If you are unsure whether a system is in scope, please contact us for clarification.

How to Report a Vulnerability

We encourage responsible disclosure. If you believe you have found a security issue, please contact us via Email: support@vernaio.com
‍Please include the following information:

Detailed description of the issue
Steps to reproduce
Affected components, versions, environments
Assessment of potential impact
Proof-of-concept (non-destructive)
Your contact details for follow-up

We ask that you do not share details publicly before we complete our investigation and remediation.

Prohibited Actions

To ensure customer safety and legal compliance, please do not:

Access, modify, or delete customer data
Attempt to degrade, interrupt, or disable services (e.g., DoS)
Exploit findings beyond what is necessary to confirm the issue
Attempt lateral movement, privilege escalation, or persistence
Use automated scanning tools without coordination
Conduct social engineering or phishing against our employees or customers

Reports that require violation of these rules cannot be considered under responsible disclosure.

Coordinated Vulnerability Disclosure (CVD) Process

We follow a coordinated disclosure approach to balance transparency with customer protection.

Our commitments:

Acknowledge your report within 3 business days
Provide an initial assessment within 7 business days
Keep you informed of progress
Work to resolve confirmed issues as quickly as reasonably possible
Notify you when a fix is deployed
Attribute public credit if desired

Researcher expectations:

Keep all details strictly confidential until we confirm the issue is resolved
Do not disclose information publicly for at least 90 days, or until mutually agreed upon
Avoid actions that put customer systems or data at risk

This process ensures that issues are addressed safely without exposing customers to unnecessary harm.

Safe Harbor

We support security research conducted in good faith.

If you follow this policy:

We will not pursue legal action against you
We will consider your testing authorized, provided it remains within the defined scope
Your activities will not trigger enforcement from our service providers

However, we cannot guarantee protection for actions done in violation of the policy, local laws, or activities that cause harm (e.g., data exfiltration, service disruption).

Handling Non-Compliant Disclosures

If an issue is disclosed publicly, exploited, or tested aggressively outside the process described in this policy, we may need to:

Inform customers about the risk
Clarify publicly that the disclosure occurred outside coordinated procedures
Restrict communication with the reporter
Involve external authorities if legal violations occurred

Our intention is not to shame researchers, but to clearly distinguish between responsible disclosure and actions that could endanger customers.

Recognition

We value contributions from the security community. With your permission, we can acknowledge your work on our Security Hall of Fame or in release notes.

Changes to This Policy

This policy may be updated periodically. The latest version will always be available under https://www.vernaio.com/security/disclosure.