1. Our Commitment
VECERT Foundation is committed to maintaining the security, integrity, and availability of our systems, services, and public cybersecurity resources.
We recognize the important role that the cybersecurity community plays in identifying and responsibly reporting security vulnerabilities.
We appreciate the efforts of security researchers who help us improve our security through responsible disclosure.
2. Purpose
This Responsible Disclosure Policy establishes a safe process for reporting potential security vulnerabilities affecting VECERT Foundation systems.
Our goal is to encourage ethical security research while protecting our users, partners, and infrastructure.
3. Scope
This policy applies to vulnerabilities affecting:
- www.vecertfoundation.org
- Analyzer Pro 360
- Public Cybersecurity Tools
- Web Applications
- APIs operated by VECERT Foundation
- Cloud infrastructure owned or operated by the Foundation
- Other online services officially managed by VECERT Foundation
- Third-party services are outside the scope of this policy.
4. How to Report
Please include:
- Description of the vulnerability
- Affected URL, system, or service
- Steps to reproduce
- Proof of concept, if applicable
- Potential security impact
- Contact information, optional
- Send reports to security@vecertfoundation.org
- For sensitive reports, we encourage the use of encrypted communications when possible.
5. Our Commitment to Researchers
If you act in good faith and comply with this policy, VECERT Foundation will:
- Acknowledge receipt of your report.
- Review and validate the vulnerability.
- Work to remediate confirmed issues.
- Keep you informed of the remediation process when appropriate.
- Credit your contribution publicly, with your permission.
6. Good Faith Research
We consider security research to be conducted in good faith when researchers:
- Avoid harming users.
- Respect privacy.
- Do not access more data than necessary.
- Do not disrupt services.
- Do not exploit vulnerabilities beyond what is required to demonstrate their existence.
- Immediately stop testing if significant risk is identified.
7. Prohibited Activities
The following activities are not permitted:
- Social engineering.
- Phishing.
- Physical attacks.
- Denial of Service or DDoS.
- Malware deployment.
- Data destruction.
- Ransomware.
- Credential theft.
- Accessing data unrelated to the reported vulnerability.
- Modifying information belonging to other users.
8. Safe Harbor
VECERT Foundation will not pursue legal action against researchers who act in good faith, comply with this policy, promptly report vulnerabilities, do not exploit vulnerabilities for personal gain, and avoid causing harm or service disruption.
This Safe Harbor does not apply to illegal activities or malicious conduct.
9. Out of Scope
Examples of findings generally considered out of scope include:
- Missing security headers with no demonstrable impact.
- Outdated software without a proven exploit.
- Clickjacking on non-sensitive pages.
- Best-practice recommendations without a security impact.
- Spam reports.
- Self-XSS.
- Vulnerabilities affecting third-party services not controlled by VECERT Foundation.
10. Coordinated Disclosure
We ask researchers to allow VECERT Foundation a reasonable opportunity to investigate and remediate reported vulnerabilities before publicly disclosing technical details.
Coordinated disclosure helps protect users while remediation is underway.
11. Recognition
At our discretion, and with the researcher's consent, we may acknowledge individuals or organizations that responsibly report valid security vulnerabilities through a public recognition program or Hall of Fame.
Recognition is voluntary and does not imply financial compensation.
12. No Bug Bounty
At this time, VECERT Foundation does not operate a monetary bug bounty program.
However, we greatly value responsible disclosures and may recognize significant contributions through non-monetary acknowledgments.
13. Policy Updates
This Responsible Disclosure Policy may be updated periodically to reflect changes in our services, technologies, or security practices.
The latest version will always be available on our website.
14. Contact
Security Team
VECERT Foundation
Email: security@vecertfoundation.org
Website: www.vecertfoundation.org