Vulnerability Disclosure Policy | VertaaUX

Digitaltableteur Tmi (FI22264455-2), trading as VertaaUX, welcomes responsible security research. This policy describes how to report vulnerabilities, what is in scope, and how we protect researchers acting in good faith.

1. Safe Harbor

We consider security research conducted under this policy to be authorized and will not initiate legal action against researchers who:

Act in good faith and follow this policy
Avoid privacy violations and data destruction
Do not degrade service performance for other users
Report findings promptly and do not exploit vulnerabilities beyond what is necessary to demonstrate them

If legal action is initiated by a third party against a researcher who has acted in accordance with this policy, we will make reasonable efforts to make it known that the researcher's actions were conducted in compliance with our policy.

2. Scope

2.1 In Scope

vertaaux.ai — Web application and all subdomains
API — All endpoints at vertaaux.ai/api/*
CLI — @vertaaux/cli npm package
SDK — @vertaaux/sdk-js npm package and vertaaux-api-client PyPI package
MCP Server — @vertaaux/mcp-server npm package
GitHub Action — @vertaaux/audit-action
Browser Extension — VertaaUX Chrome extension
VS Code Extension — vertaaux-assistant

2.2 Out of Scope

Third-party services (Vercel, Stripe, Neon, etc.)
Social engineering or phishing attacks
Denial-of-service attacks (DoS/DDoS) against production systems
Physical attacks against infrastructure or personnel
Automated vulnerability scanning without prior approval
Vulnerabilities in third-party dependencies already reported upstream

3. Rules of Engagement

When researching vulnerabilities, you must:

Only interact with accounts you own or have explicit permission to test
Stop testing and report immediately if you access another user's data
Not modify or delete data that does not belong to your test account
Not perform actions that could affect other users
Use the minimum necessary exploitation to demonstrate the vulnerability
Not use automated scanning tools without prior written authorization

4. Reporting a Vulnerability

Send your report to security@vertaaux.ai with the following information:

Description — What the vulnerability is and its potential impact
Steps to reproduce — Clear, step-by-step instructions
Proof of concept — Screenshots, code, or video demonstrating the issue
Affected component — Which surface (web, API, CLI, SDK, etc.)
Severity assessment — Your estimate of the impact (Critical, High, Medium, Low)
Your contact information — For follow-up questions (name and email)

Please do not report vulnerabilities through public channels (GitHub issues, social media, etc.) before they have been resolved.

5. Response Timeline

Action	Timeline
Acknowledgment of receipt	Within 24 hours
Initial triage and severity assessment	Within 72 hours
Status updates during investigation	Every 48-72 hours
Resolution or mitigation	Target 90 days (varies by severity)
Public disclosure (coordinated)	After fix deployed, coordinated with reporter

6. Bug Bounty Program

We offer monetary rewards for valid, previously unreported vulnerabilities based on severity:

Severity	Reward (EUR)	Examples
Critical	€500 – €2,000	Remote code execution, SQL injection, authentication bypass
High	€200 – €500	XSS, CSRF, privilege escalation, API key leakage
Medium	€50 – €200	Information disclosure, insecure direct object references
Low	€10 – €50	Missing security headers, minor configuration issues

Rewards are determined at our sole discretion based on the severity, impact, and quality of the report. Duplicate reports receive credit but no reward. Rewards are paid via bank transfer (SEPA/international wire).

7. Recognition

With your permission, we will publicly acknowledge your contribution on our security page. If you prefer to remain anonymous, we will respect that choice.

8. Contact

Security reports: security@vertaaux.ai
General security questions: security@vertaaux.ai