Security

Responsible Disclosure

We welcome good-faith security research on Vaultaproof systems. If you think you’ve found a vulnerability, tell us so we can fix it quickly.

Email: security@vaultaproof.com

Response targets

  • We acknowledge reports within 2 business days.
  • We provide a status update within 5 business days.
  • We will coordinate remediation and disclosure timelines with you.

In scope

  • vaultaproof.com and *.vaultaproof.com public-facing services
  • API endpoints used by Vaultaproof web clients
  • Authentication, session, and document-access controls

Out of scope

  • Denial-of-service tests (traffic floods, resource exhaustion)
  • Social engineering of Vaultaproof staff or customers
  • Physical security attacks
  • Automated vulnerability scans without clear, minimal proof of issue
  • Data exfiltration beyond the minimal evidence required to demonstrate impact

Safe harbor

  • Do not exploit a vulnerability beyond the minimum needed to demonstrate impact.
  • Do not access, modify, or delete data that is not your own.
  • Avoid privacy violations and degradation of service.
  • If you encounter personal data, stop testing and contact us immediately.
  • Operate within the law; we will not pursue legal action against researchers who follow this policy.

Rules of engagement

  • No ransom or extortion language.
  • No destructive testing (including DDoS or spam).
  • Use test accounts where possible.
  • Coordinate public disclosure with us; do not disclose before a fix is in place or 90 days have passed, whichever comes first.
  • We currently do not offer bug bounties.