Responsible Disclosure Program

Effective on: June, 2021

At Vendio, we take security and privacy very seriously. We believe that responsible security researchers across the globe are critical in identifying vulnerabilities in any technology. Vendio welcomes and encourages security researchers to report vulnerabilities with our systems and we appreciate your efforts to make the internet a safer place.

How the Program Works

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
1. Let us know as soon as possible upon discovery of a potential security issue and we'll make every effort to quickly resolve the issue.
2. Please avoid any privacy violations, degradations and disruption to our production systems during your testing. This includes any activity that has an impact on the availability of our systems, including the use of vulnerability scanning tools.
3. Do not access data of other users and solely use your created accounts.
4. Do not attempt to brute-force or spam our systems.
5. Never exploit a vulnerability you discover to view data or alter data without authorization.
6. Do not do anything illegal. Researchers are responsible for complying with local laws, restrictions, regulations, etc.
7. Please keep information disclosed confidential between yourself and Vendio, until we resolve the issue. Again, we will make our best efforts to fix issues in a short time frame, but some vulnerabilities take longer than others to resolve.

By responsibly submitting your findings to Vendio in accordance with these guidelines Vendio agrees not to pursue legal action against you. Vendio reserves all legal rights in the event of noncompliance with these guidelines.

Once a report is submitted, Vendio commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Vulnerability Submissions

Please report any security issues you find to [email protected] If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key at the bottom of this page.

Please include the following in your submission:
1. Your name and contact information
2. Company name (if applicable)
3. A detailed description of the potential vulnerability
4. Exact steps to reproduce the issue, including any associated URL and parameters demonstrating the vulnerability, proof of concept links and/or payloads
5. Any relevant details of your system’s configuration, such as any browser or user-agent information where the tests were conducted
6. Your IP address and Vendio account, to assist with coordinated log review

Exclusions

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program, including:
1. Social engineering (including phishing) of Vendio staff, contractors, or users
2. DoS/DDoS
3. Resource Exhaustion attacks
4. Self XXS
5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
6. Reports from automated tools and/or scans
7. Bugs in 3rd party software
8. Physical attacks on our infrastructure
9. DNSSEC
10. CSV Injection
11. SSL/TLS Best Practices
12. X-Frame-Options related
13. Missing security headers which do not lead directly to a vulnerability

Thank you

We want to make sure to sincerely thank you for your disclosing security vulnerabilities responsibly and working with us to improve our security. We understand the work and talent you've put into finding these issues and appreciate you reaching out to us.

Our PGP Key
If you are submitting sensitive vulnerability information or wish to communicate with us privately about your concern, we encourage you to use the following PGP key to encrypt your message to us.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF7NmuIBCADGXP6elvaRGCtzzxsV4ciAoxpLjl4uDCG5SMAYyr7p0l1oms1S
l6yvdnrSXkDCoWH/OV95zMe0JNce7CYAGqfikQmkCKlSMhIzwH1pCpslR/g9I1q3
vrrEc81fSj+KtBop0dLlt7d5ZPKWP8q75Yv0usYDGvjtEzySmP0RSP6QFuUFHOns
jkv1bMbWOSLasEc9Chc8nMftPTnRrEnbsZTjcdmtc6mK23rwuHteUcApLCD354oC
w7lAe9CBMpdWCDlxosA1Kmpz/YIcWcnN045lI7yQXq2KakiMxL9mXFlm0hqQwSiR
Q/0KynSdDoDmRpfWvjP5MWlR7GB4LVSCD4eXABEBAAG0GXNlY3VyaXR5QG1vcmVj
b21tZXJjZS5jb22JAVQEEwEIAD4WIQRERvyENPY88MyC08MgtS69cZ4bvwUCXs2a
4gIbAwUJA8IzTgULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAgtS69cZ4bvy+t
CACfUEPsxzYg2eQNwxqHN/qfDj4/D3KmTpwqVsOQvFGrEJf6TDNloP7PkpRIij48
9b/uJJe+n0FdzKpkOIeiIQdc8kpGY+XcbRBMSX76BcBVbFsUIp3G4MGiFVbE93p+
ufvic01OqsQNuOAaAe46JUmrdB4lk9Us5VxLMPS9p7KnVvw4G7sz4+RUrz6/IL6m
RdQIe9Y6hv+tvybgB70fPst+t62KpFcK13t0vis7E1LSesNYtOpzg4ThKADCkBSE
I3EAE0+hGrPrVhzpthIJHMoHTqqoAfOUXRC7ZmKolWgjpowLIv5FenLgYiYjIr1m
2WwfFlHbv46PmkjTEW9VfzFSuQENBF7NmuIBCAC4L01UTa7XX4MpsQMmdQKvXdu+
806WnduLITlRlBP6gX9XVLTljFbfjq9bnITMjcrLHQumeCgbBD/vArSoUhi3dZ7t
k71XAFxq9So6baQNR7M6ClxhXKm5cfbLgHfsrT5I+uZwDnygdPuuVu8Nc+2G4GPS
NoCIOEu+TiBq7/vhSwJWJ308+0cUWfNub60FKCp8WcKU7B8AMOGh6el/GJxAmxRD
kz4dfm73aGOM9IDP80LTfV3hknVbH/9a+HtA8zy/Iba7sVuenpSrD3ntt0UIusk5
bIHayAhV0wzjdiY5Mm9dWBY+XLFbbIWqvZqQatsO+xYvd5LQ9JfMyPjjt81HABEB
AAGJATwEGAEIACYWIQRERvyENPY88MyC08MgtS69cZ4bvwUCXs2a4gIbDAUJA8Iz
TgAKCRAgtS69cZ4bv2/yCADBC/+bsUnadgsU6jqTQQ89oYmRP41oaAiZhwvF94lr
Pzw4oGTaR5Tpwhi3eO5AF8PcxM34DHauEi8zPCLyb56bdhnCDlnUQ4ZUCbr3+m+v
r7Zec+7pZDnjfYvOfonXgtjG/zJ5hWYJnObD56nKu4uqXheEK1VuyYzEG3pUUwKQ
FF3A0ZgJygAN8cqqz1qni/Bd0n/RSE2Ps5HPpn9xDdEQFyFqocPtNo/opH++Liws
vm3Gl8eEG17XFn7IiuwLdKyK5rvU1Fd79KKlBBsBPWLKXC+Js7esNeEaxzZQf7F5
n9m2b0RtGL6+Cq56O6o2fUEBVlyeYjhQPEfUCN0e94c7
=13dx
-----END PGP PUBLIC KEY BLOCK-----