Vulnerability Disclosure Policy

We value the security research community and welcome responsible disclosure of security vulnerabilities. Please note that we do not offer monetary compensation for vulnerability reports at this time.

If you've identified a security issue in our systems, here's how to report it:

Reporting a Vulnerability

Your report must contain specific technical details.
We do not respond to:

  • Inquiries asking if we have a disclosure program

  • Vague reports lacking technical details

  • Requests to discuss whether something "might" be a vulnerability

  • Reports submitted before reviewing this policy

What to Include

  1. Affected system: Specific URL, API endpoint, or service

  2. Vulnerability type: XSS, SQLi, authentication bypass, etc.

  3. Proof of concept: Step-by-step reproduction instructions (non-destructive)

  4. Impact: What an attacker could accomplish

How to Submit

security@varderalabs.com

security@varderalabs.com

security@varderalabs.com

security@varderalabs.com

security@varderalabs.com

security@varderalabs.com

Encrypted submission (optional): Use our public key below for sensitive reports.

age1kz780tq232q3arkwre5tjdmcsy2zvlu43qa4u4tkj73urhvpcf5qpyeh64
Scope
In scope

  • *.varderalabs.com;*.vardera.com

  • Production systems and services we operate

Out of scope

  • Third-party services (report to the vendor)

  • Social engineering or physical attacks

  • Denial of service testing

What We Don't Consider Vulnerabilities

  • Missing security headers without demonstrated exploit

  • SSL/TLS configuration preferences (cipher suites, TLS 1.0 presence)

  • Clickjacking on pages without sensitive actions

  • Reports generated by automated scanners without validation

  • "Best practice" recommendations without security impact

  • SPF/DMARC/DKIM configuration suggestions

  • Open ports or services without demonstrated vulnerability

Rules

You must not:

  • Access or modify data belonging to others

  • Perform testing that degrades our services

  • Use high-volume automated scanning

  • Share vulnerability details publicly before we've resolved them

  • Break any laws

You must:

  • Stop testing if you encounter user data

  • Delete any retrieved data once the issue is resolved

  • Act in good faith

What to Expect

  • Initial response: 5 business days for valid reports

  • No response: We don't respond to out-of-scope items, duplicates, or incomplete reports

  • Status updates: You can check status every 14 days by emailing the same thread

  • Resolution: We'll notify you when fixed and welcome coordinated disclosure

We prioritize based on impact and exploitability. Complex issues may take time to remediate.

Recognition

For the first report of a qualifying vulnerability, we're happy to list your name on our security acknowledgments page (with your permission).