How to report
Email security@veirox.com. Encrypt the report with our PGP key (linked from security.txt) for sensitive details. We acknowledge within 2 business days.
Scope
In-scope:
- The Veirox SaaS at
veirox.com(API, console, marketing). - The Veirox CLI binary distributed via brew, scoop, GHCR, or
install.sh. - The Veirox connector binary distributed via Docker, Helm, or
install.sh. - Public release artifacts (cosign signatures, SBOMs).
Out of scope:
- Third-party services (Anthropic, Stripe, DigitalOcean, Cloudflare, GitHub) — report directly to them.
- Customers' own infrastructure where Veirox Connect is deployed (you are the operator).
- Self-XSS that requires the user to paste attacker-supplied content into the developer console.
- Issues only exploitable on outdated CLI / connector versions older than 6 months.
Safe-harbour rules
We won't pursue legal action against good-faith researchers who:
- Stop probing as soon as access to user data, the database, or the SaaS infrastructure is achieved.
- Don't read, modify, exfiltrate, or destroy customer data.
- Don't degrade service for other users (no DDoS, no flooding).
- Use only test accounts you own.
- Give us reasonable time (typically 90 days) to fix before public disclosure.
- Comply with applicable law and our AUP.
Recognition
We don't currently run a paid bug bounty. We will:
- Acknowledge your report within 2 business days.
- Credit you in our hall of fame (with your permission) once a fix ships.
- Send swag for material findings (stickers, t-shirts; nothing mind-blowing — we're a small team).
- Provide a written reference for inclusion in your CV / portfolio.
A paid program is on our roadmap as the customer base grows.
Response timeline
- 2 business days — acknowledgement of receipt.
- 7 business days — initial triage + severity assessment.
- 30 days for high/critical, 90 days for medium/low — fix shipped or written justification.
- Coordinated disclosure — we'll work with you on a public-disclosure date, ideally tied to a CVE if applicable.
Hall of fame
Researchers who responsibly disclosed vulnerabilities to us:
- Empty so far — be the first!