Found a vulnerability in our platform?
Vawlt is a solution built with security as a top priority. While our team is entirely committed to designing and developing a solution that keeps your data safe, we encourage any user to point out and report any fragilities or vulnerabilities in our website and platform.
If this is the case, we invite you to share with us a detailed report to firstname.lastname@example.org.
Below, you can find some useful information on how to submit a report to our team, as well as a set of rules to guide you if you find any issues. Your report can be even considered for a reward attribution.
Welcome to our Vulnerability Detection Program.
How to submit a report correctly
To submit a vulnerability report, send us an email to email@example.com. Take into consideration the following topics:
- Provide a complete description for our analysis.
- Attach a “How to” guide with the necessary steps so we can replicate the situation, either in text or video, or a proof of concept.
- Use the CVSS calculator and provide us with the output attached in the report.
- Make a self-evaluation of the situation severity.
- Provide us with any other information you consider useful for the analysis.
Your vulnerability report will be qualified for a prize if all these conditions apply:
- The report must have the structure mentioned above.
- The report can’t be only a copy-paste of an automated security scanner: reports without additional insights won’t be considered.
- The issue must be real and testable: hypothetical situations won’t be considered.
- The issue must refer to something we don’t know about: we won’t reward any findings that were already been previously reported, either by you or someone else.
- The issue must take place on the latest publicly available website/platform version of vawlt.io.
- The issue must be in scope (see the list below).
Out of scope list
Here are some situations we generally consider to be out of scope:
- Feature bugs.
- Vulnerabilities in third-party code or services that do not lead to an exploit.
- Missing HTTP security headers.
If the report is proven to be valid, there might be a prize for you. The amounts are calculated based on the category or severity of each reported issue, as you can check in the table below.
Revealing any issue publicly without Vawlt’s consent is strictly forbidden.
Please notify us if this is your work or is covered by the intellectual property rights of third-party entities.
If you submit any report of this kind, you’re granting Vawlt Technologies, S. A. a permanent and irreversible license to all intellectual property rights licensable by you in or related to the use of this material.
Not notifying us of this matter will mean that the report is your own work, so it isn’t covered by intellectual property rights from any other entity.
We appreciate your collaboration by keeping our platform and our customers safe.