Security & Responsible Disclosure

Overview

VulnX is committed to security and privacy. If you discover a vulnerability or security issue in our platform, we encourage you to report it responsibly. This page explains our responsible disclosure program and how to report security issues.

✓ Safe Harbor: VulnX will not pursue legal action against researchers who follow this policy and act in good faith.

1. What We Cover

We consider the following valid security issues:

✅ In Scope (Please Report)

• Authentication Issues: Bypass of login systems, weak session management, privilege escalation
• Authorization Flaws: Unauthorized access to reports, user data, or admin functions
• Data Exposure: Disclosure of personal data, payment information, or audit findings
• Injection Attacks: SQL injection, command injection, code injection vulnerabilities
• XSS / CSRF: Cross-site scripting or request forgery vulnerabilities
• Encryption Flaws: Weak or broken encryption, insecure data transmission
• API Security: Insecure API endpoints, missing authentication/authorization
• Configuration Issues: Exposed sensitive files, misconfigured security headers
• Logic Flaws: Business logic vulnerabilities that could be exploited
• Infrastructure Issues: Publicly exposed databases, unprotected cloud storage

❌ Out of Scope (Please Don't Test)

• Denial of Service (DoS): Do not test or launch DoS attacks
• Brute Force Attacks: Do not attempt password cracking or brute forcing
• Social Engineering: Do not impersonate staff or attempt to trick employees
• Physical Access: Do not attempt to access offices or physical infrastructure
• Credential Theft: Do not attempt to steal or phish credentials
• Malware Distribution: Do not attempt to inject malware or backdoors
• Data Destruction: Do not modify, delete, or destroy data
• Third-Party Systems: Do not test systems outside of vulnx.in domain
• Spam or Abuse: Do not spam, abuse, or disrupt our services

2. How to Report a Security Vulnerability

Contact Information

Please email security vulnerabilities to:

⚠️ Important: Do not post vulnerability details publicly or on social media before we have had time to fix the issue. This gives us time to address the vulnerability responsibly.

3. What to Include in Your Report

To help us understand and fix the issue quickly, please include:

Essential Information

• Description: Clear explanation of the vulnerability
• Location: Specific page, endpoint, or feature affected
• Steps to Reproduce: Detailed steps to reproduce the issue
• Impact: What could an attacker do with this vulnerability?
• Severity: Your assessment of the severity (if you can)

Optional But Helpful

• Screenshots or screen recordings
• Proof-of-concept code (if applicable)
• Your contact information (how to reach you with follow-up)
• PGP key (if you want encrypted communication)

❌ Don't Include

• Actual passwords or authentication credentials
• Real user data or personal information
• Malicious payloads or malware
• Links to modified copies of our site

4. Rules of Engagement

To ensure a responsible disclosure process, please:

• Act in Good Faith: Only test for security issues, not to cause harm
• Don't Exploit Further: Report the vulnerability immediately after discovery; don't exploit it to gain more access
• Minimal Testing: Perform only the minimum testing needed to confirm the vulnerability
• No Data Exfiltration: Do not download, copy, or exfiltrate any data
• No Persistence: Do not install backdoors, malware, or any persistence mechanisms
• Confidentiality: Keep the vulnerability confidential until we've had time to fix it
• No Disclosure Timeline Pressure: Avoid setting artificial deadlines for public disclosure

5. How We Handle Vulnerabilities

Our Process

1. Acknowledgment (24 hours): We'll confirm receipt of your report
2. Assessment (48-72 hours): We'll assess the vulnerability's impact and severity
3. Fix Development: Our team will develop a fix
4. Testing & Deployment: Our team will test and deploy the fix
5. Notification: We'll notify you when the fix is deployed
6. Credit (Optional): We'll credit you in our security advisory (if you wish)

Typical Timeline

• Critical Issues: Fixed and deployed within 48 hours
• High Severity: Fixed and deployed within 1 week
• Medium Severity: Fixed and deployed within 2-4 weeks
• Low Severity: Fixed in next regular update (up to 3 months)

6. Our Commitment

VulnX commits to:

• Responding to vulnerability reports promptly
• Keeping the researcher informed of progress
• Fixing confirmed vulnerabilities as quickly as possible
• Maintaining confidentiality until a fix is deployed
• Crediting the researcher if they wish to be credited
• Not pursuing legal action against researchers who follow this policy in good faith

7. Safe Harbor

8. VulnX Security Practices

VulnX maintains security through:

• Secure Development: Code review and security testing during development
• Encryption: SSL/TLS for all data in transit; encryption for sensitive data at rest
• Authentication: JWT tokens with secure expiration and rotation
• Regular Updates: Dependencies and frameworks updated for security patches
• Logging & Monitoring: Audit trails and security monitoring for unusual activity
• Access Controls: Role-based access control and principle of least privilege
• Security Audits: Regular internal and external security reviews

Questions?

If you have questions about responsible disclosure or want to clarify scope before testing, please contact us: