SYSTEM ONLINE

Responsible Disclosure Policy

How to report vulnerabilities in Vulnera's own systems, our commitments to researchers, and the safe harbour we provide for good-faith research.

EFFECTIVE: March 5, 2026PLATFORM: VULNERA.ONLINE GOVERNING LAW: INDIA
ℹ NOTE
We take the security of $Vulnera seriously. If you discover a security vulnerability in our Service, we encourage responsible disclosure and commit to working with you transparently to resolve issues.
RESPONSE TARGET
72 HOURS
DISCLOSURE WINDOW
90 DAYS
EFFECTIVE DATE
MARCH 5, 2026
01

In Scope

  • The Vulnera web application and UI
  • Our public API endpoints
  • Our backend infrastructure directly supporting the Service
  • Authentication and session management flaws
  • Injection vulnerabilities (SQL, XSS, SSRF, etc.)
  • Sensitive data exposure in our own systems
02

Out of Scope

  • Vulnerabilities in third-party libraries we use but do not maintain
  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering or phishing attacks targeting our staff
  • Physical security issues
  • Vulnerabilities requiring unlikely user interaction or physical device access
  • Issues already known to us or previously reported
  • Scanner results about third-party websites (those are not our systems)
03

How to Report

Email your finding to $support@vulnera.online with the subject line "[Security Disclosure] — [Brief Description]". Please include:

  • A clear description of the vulnerability and affected component
  • Step-by-step reproduction instructions
  • Screenshots, logs, or proof-of-concept (PoC) code
  • Your assessment of potential impact
  • Your suggested remediation (optional)
⚠ IMPORTANT
Please do NOT publicly disclose the vulnerability until we have had 90 days from our initial acknowledgement to remediate it.
04

Our Commitments to You

  • Acknowledge receipt of your report within 72 hours
  • Confirm whether the issue is in scope within 7 business days
  • Provide regular progress updates throughout remediation
  • Credit you by name or handle in our security acknowledgements (unless you prefer anonymity)
  • Not pursue legal action against researchers acting in good faith under this policy
05

Researcher Safe Harbour

We consider research conducted in compliance with this policy to be authorised activity. If any third party initiates legal action against you for research conducted under this policy and in good faith, we will make clear to relevant parties that your activities were sanctioned under this Responsible Disclosure Policy.

Good faith requires that you:

  • Do not access, modify, or exfiltrate data beyond what is strictly necessary to demonstrate the vulnerability
  • Do not disrupt the availability or performance of the Service
  • Do not exploit the vulnerability for any purpose beyond demonstrating its existence
  • Do not demand payment as a condition of disclosure
06

Response Timeline

ACKNOWLEDGEMENT
Within 72 hours of receiving your report
INITIAL ASSESSMENT
Within 7 business days
CRITICAL FIX TARGET
7 days from acknowledgement
HIGH FIX TARGET
30 days from acknowledgement
MEDIUM FIX TARGET
90 days from acknowledgement
COORDINATED DISCLOSURE
90 days from acknowledgement