Vulnerability Disclosure Policy
Purpose
This policy outlines how security researchers and members of the public can responsibly report security vulnerabilities in Vendorapp. We welcome good-faith reports and are committed to addressing verified issues promptly.
Scope
This policy applies to:
- The Vendorapp web application
- The Vendorapp public website
- Any supporting infrastructure or APIs operated by Vendorapp Limited
How to report a vulnerability
To report a vulnerability:
- Send an email to security@vendorapp.co
- Include as much detail as possible (see below)
- Do not publicly disclose the vulnerability before we've had a chance to review and resolve it
Safe harbor statement
We will not initiate legal action against researchers who:
- Act in good faith
- Avoid violating privacy, disrupting systems, or accessing data they do not own
- Promptly report findings to us
- Do not exploit or share the vulnerability before it is resolved
We appreciate your contribution to the security of Vendorapp.
What to include in your report
To help us investigate and resolve the issue efficiently, please include:
- A clear description of the vulnerability
- Affected URL or component
- Steps to reproduce
- Any proof-of-concept code (if available)
- Your contact details for follow-up
What you can expect from us
Once we receive your report:
- We will acknowledge your submission within 5 business days
- We will investigate the issue and keep you updated
- If confirmed, we will prioritize remediation and notify you once resolved
Out-of-scope findings
The following are considered out of scope:
- Social engineering or phishing attempts
- Denial-of-Service (DoS) or spam testing
- Automated vulnerability scans or brute force attacks
- Use of outdated or third-party applications not maintained by Vendorapp