vitalsend.eu Logovitalsend.eu Logo
Send Send Pricing FAQ News About Sign in Create account Account
Theme:

Vulnerability disclosure policy

VitalSend operates a service whose entire value depends on its security
posture. We take vulnerability reports seriously and welcome coordinated
disclosure from researchers.

Reporting a vulnerability

Email: [email protected]
Do not open a public GitHub issue, PR, or discussion for security
issues — even apparently low-severity ones.

Please include:

  • A clear description of the vulnerability and its impact
  • Steps to reproduce, including any required setup
  • Affected component(s): repo + commit/version, or live URL
  • Whether the issue has been disclosed to anyone else

Test against your own anonymous account. Do not test against accounts
or share links belonging to others.

We will acknowledge receipt within 72 hours and provide a substantive
status update within 7 days.

Scope

In scope:

  • The published code at github.com/vitalsend (any repo)
  • The live service at vitalsend.eu and its subdomains
  • Cryptographic correctness, key handling, leakage of plaintext or
    metadata, integrity of the one-download guarantee

Out of scope:

  • Denial of service through volume/rate (we accept this risk)
  • Reports relying on physical access to a victim's device
  • Reports against third-party services we depend on — report those
    upstream and let us know
  • Findings on staging environments unless they reproduce on production
  • Self-XSS, missing best-practice headers without an exploitable impact,
    outdated library versions without a demonstrated vulnerability

Coordinated disclosure

We ask for a 90-day window from acknowledgement before public
disclosure, extendable by mutual agreement if a fix is in progress.
We will credit researchers in release notes and a public advisory
unless asked not to.

Safe harbour

If you make a good-faith effort to comply with this policy, we will
not pursue legal action and will work with you in good faith.
"Good faith" means:

  • Avoiding access to user data beyond what is necessary to demonstrate
    the issue
  • Not modifying or destroying data
  • Not interfering with availability for other users
  • Stopping testing and reporting immediately if you encounter user data

Bug bounty

We do not currently run a paid bug bounty programme. We may at our
discretion offer a token of appreciation for high-impact reports.