Vulnerability Disclosure Policy
Scope
Veza’s Responsible Disclosure Policy applies to Veza’s core platform and its information security infrastructure, and internal and external employees or third parties, including but not limited to:
- Our main website (www.veza.com)
- Our SaaS platform (www.vezacloud.com)
- Our public API endpoints
What we would like to see from you:
- Well-written reports in English will have a higher probability of resolution. Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority. Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation. Please include any plans or intentions for public disclosure.
- Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.
In return, we promise to:
- A timely response to your email (within 2 business days).
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
If we are unable to resolve communication issues or other problems, Veza may bring in a neutral third party to assist in determining how best to handle the vulnerability.
Legal Posture
Veza will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting form. We openly accept reports for the currently listed Veza products. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Veza or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the location of Veza. For example, violating laws that would only result in a claim by Veza (and not a criminal claim) may be acceptable as Veza is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Exclusions
While researching, we’d like you to refrain from:
- Denial of service attacks.
- Accessing or modifying user data without explicit permission.
- Exploiting vulnerabilities in third-party systems or services.
- Using automated scanning tools without prior approval.
- Spamming.
- Social engineering or phishing.