Security and reliability are critical components of VGS. So we welcome any input that helps us identify and eliminate vulnerabilities. Through this responsible disclosure policy, we hope to properly recognize your efforts to help us ensure the security of our customers.
If you believe you have found a security vulnerability that could impact VGS or our users, we encourage you to let us know right away. Please notify us at firstname.lastname@example.org. If possible, please include evidence as well as steps for reproducing the issue. We are committed to responding promptly.
If your report contains sensitive data, please use the public GPG key provided below to encrypt and email your findings to us.
To protect our users, please refrain from sharing information about any potential vulnerabilities with anyone outside of VGS. Once we have confirmed and mitigated the vulnerability we hope that you will join us in an announcement.
Finally, we ask that you follow our Vulnerability Disclosure Policy and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
When researching, please don't :
DOS or DDOS us
Social engineer (including phishing) our staff or contractors
VGS' Security Statement: https://www.verygoodsecurity.com/docs/security/
If you follow these guidelines, we promise to:
Take all reported findings seriously
Respond to your email within 48 hours
Confirm and acknowledge any findings identified
Credit and thank you after vulnerabilities have been fixed
Depending on severity, publicly disclose reported vulnerabilities that we've remed
If you follow these guidelines, VGS pledges not to pursue or support any legal action related to your research.