Responsible Disclosure Policy
Last updated: March 3, 2026
At Vuln0x, security is at the core of everything we do. We value the work of security researchers who help keep our platform and users safe. This policy outlines how to report vulnerabilities in the Vuln0x platform and our commitment to researchers who do so responsibly.
1. Scope
The following assets are in scope for security research:
- vuln0x.com — Main website and application.
- api-v1.vuln0x.com — Public API.
- app.vuln0x.com — Dashboard and user-facing application.
1.1 Out of Scope
- Third-party services we integrate with (Stripe, Supabase, etc.).
- Social engineering attacks against Vuln0x employees.
- Physical security of our offices or infrastructure.
- Denial of service (DoS/DDoS) attacks.
- Automated scanning without prior coordination.
- Spam, phishing, or social engineering via our platform.
2. Reporting a Vulnerability
If you discover a security vulnerability, please report it to:
Your report should include:
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- The potential impact and severity assessment.
- Any proof-of-concept code or screenshots.
- Your contact information for follow-up.
Please encrypt sensitive reports using our PGP key, available upon request at security@vuln0x.com.
3. Safe Harbor
We believe security research conducted in good faith should be encouraged and protected. Accordingly:
- We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy.
- We will work with you to understand and validate the issue before taking corrective action.
- We will not retaliate against researchers who report vulnerabilities in good faith, even if the report is ultimately deemed not to be a vulnerability.
- If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will make reasonable efforts to make it known that your actions were authorized under this policy.
4. Response Timeline
| Stage | Timeline |
|---|---|
| Acknowledgment of report | Within 24 hours |
| Initial triage and severity assessment | Within 72 hours |
| Status update to researcher | Within 7 days |
| Remediation target | Within 90 days |
| Public disclosure (coordinated) | After fix is deployed, mutually agreed |
5. Bug Bounty Program
Vuln0x operates a paid bug bounty program. Rewards are determined based on the severity and impact of the vulnerability:
| Severity | Description | Reward Range |
|---|---|---|
| Critical | Remote code execution, authentication bypass, data breach of customer data | $1,000 – $5,000 |
| High | Privilege escalation, significant data exposure, stored XSS affecting other users | $500 – $1,000 |
| Medium | CSRF on critical actions, information disclosure, authorization bypass | $100 – $500 |
| Low | Reflected XSS, minor information leakage, best practice violations | $50 – $100 |
5.1 Eligibility
- The vulnerability must be previously unreported and not publicly known.
- The researcher must not have exploited the vulnerability beyond what is necessary for proof of concept.
- The researcher must not have accessed, modified, or deleted other users' data.
- Reports from Vuln0x employees, contractors, or their immediate family members are not eligible.
5.2 Payment
Bounty payments are made via bank transfer or PayPal within 30 days of vulnerability confirmation. Researchers are responsible for any applicable taxes.
6. Guidelines for Researchers
To qualify for safe harbor and bounty eligibility:
- Do report vulnerabilities promptly after discovery.
- Do provide sufficient detail for us to reproduce the issue.
- Do give us reasonable time to fix the issue before public disclosure.
- Do not access, modify, or delete data belonging to other users.
- Do not perform denial of service attacks.
- Do not use automated scanning tools without prior coordination.
- Do not publicly disclose the vulnerability before we have deployed a fix.
7. Hall of Fame
With the researcher's permission, we will publicly acknowledge their contribution on our security Hall of Fame page. Researchers may choose to remain anonymous.
8. Contact
For security reports and questions about this policy:
- Email: security@vuln0x.com
- For urgent matters: Include "[URGENT]" in the subject line.
Thank you for helping keep Vuln0x and our users safe.