Found a vulnerability in our platform?

Vawlt is a solution built with security as a top priority. While our team is entirely committed to designing and developing a solution that keeps your data safe, we encourage any user to point out and report any fragilities or vulnerabilities in our website and platform.

If this is the case, we invite you to share with us a detailed report to security@vawlt.io.

Below, you can find some useful information on how to submit a report to our team, as well as a set of rules to guide you if you find any issues. Your report can be even considered for a reward attribution.

Welcome to our Vulnerability Detection Program.

How to submit a report correctly

To submit a vulnerability report, send us an email to security@vawlt.io. Take into consideration the following topics:

Provide a complete description for our analysis.
Attach a “How to” guide with the necessary steps so we can replicate the situation, either in text or video, or a proof of concept.
Use the CVSS calculator and provide us with the output attached in the report.
Make a self-evaluation of the situation severity.
Provide us with any other information you consider useful for the analysis.

Qualification criteria

Your vulnerability report will be qualified for a prize if all these conditions apply:

The report must have the structure mentioned above.
The report can’t be only a copy-paste of an automated security scanner: reports without additional insights won’t be considered.
The issue must be real and testable: hypothetical situations won’t be considered.
The issue must refer to something we don’t know about: we won’t reward any findings that were already been previously reported, either by you or someone else.
The issue must take place on the latest publicly available website/platform version of vawlt.io.
The issue must be in scope (see the list below).

Out of scope list

Here are some situations we generally consider to be out of scope:

Feature bugs.
Vulnerabilities in third-party code or services that do not lead to an exploit.
Missing HTTP security headers.

Prizes

If the report is proven to be valid, there might be a prize for you. The amounts are calculated based on the category or severity of each reported issue, as you can check in the table below.

SEVERITY	VALUE
Low	€75
Medium	€100
High	€200
Critical	€750

Disclaimer

Revealing any issue publicly without Vawlt’s consent is strictly forbidden.

Please notify us if this is your work or is covered by the intellectual property rights of third-party entities.

If you submit any report of this kind, you’re granting Vawlt Technologies, S. A. a permanent and irreversible license to all intellectual property rights licensable by you in or related to the use of this material.

Not notifying us of this matter will mean that the report is your own work, so it isn’t covered by intellectual property rights from any other entity.

We appreciate your collaboration by keeping our platform and our customers safe.

Don't Let Ransomware Stop Your Company

It's easy to start.

Get a Demo

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
1P_JAR	1 month	This cookie is placed by Google Ads Optimization and the functionality is to provide ad delivery or retargeting.
ac_chat	1 year	This cookie is placed by Vawlt and the functionality is to activate user tracking by the third-party service ActiveCampaign and its chat functionality, upon given consent.
ac_enable_tracking	at least one session	This cookie is placed by ActiveCampaign and its functionality is to store cookie consent preferences.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
DV	1 day	This cookie is placed by Google Ads Optimization and the functionality is to provide ad delivery or retargeting.
lang	session	This cookie is placed by LinkedIn is used to remember a user's language setting.
li_gc	2 years	This cookie is placed by LinkedIn and its functionality is to store the consent of guests regarding the use of cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
NID	6 months	This cookie is placed by Google Ads Optimization and the functionality is to provide ad delivery or retargeting, store user preferences.
prism_*	1 month	This cookie is placed by ActiveCampaign and its functionality is to store and track interaction.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	2 years	This cookie is placed by Google Analytics and its functionality is to store and count page views. Collects data on the number of times a user has visited the website as well as dates for the first and most recent visit.
_gat_*	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is placed by Hotjar and its functionality is to detect the first pageview session of a user. Boolean true/false data type.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	This cookie is placed by Hotjar and its functionality is to determine if a user is included in the data sampling defined by our site's pageview limit. Boolean true/false data type.
_hjIncludedInSessionSample	2 minutes	This cookie is placed by Hotjar and its functionality is to determine if a user is included in the data sampling defined by our site's daily session limit. Boolean true/false data type.
_hjSession_*	session	This cookie is placed by Hotjar and its functionality is to provide functions across pages. Stored data: user ID.
_hjSessionUser_*	1 year	This cookie is placed by Hotjar and its functionality is to store a unique user ID.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbc	3 months	This cookie is placed by Facebook and its functionality is to store users' last visit. Stored data: browsing device information.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_gac_*	3 months	This cookie is placed by Google Ads and its functionality is to store and track audience reach. Collects data on the number of times a user has visited the website as well as dates for the first and most recent visit.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year	This cookie is placed by Doubleclick and its functionality is to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and presenting targeted ads to the user.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.