At Veloxity, we value quality software and the work that goes into creating it. We acknowledge and appreciate the work done by ethical white-hat security researchers to discover and responsibly report security vulnerabilities found in software used around the world. It is for this reason that we are providing the Security Vulnerability Program outlined below.
Any security research being performed needs to respect the data of Veloxity customers and the level of service expected by Veloxity customers. As such, security researchers must adhere to the following rules:
- Research must be performed only on Veloxity applications that you own/control (either paid or trial). Do not attempt to access the data of any other accounts.
- Denial-of-service attacks of any kind are not allowed.
- Do not attempt non-technical attacks ( such as phishing or social engineering tactics) against Veloxity employees, customers, or infrastructure.
- Do not attempt to infiltrate any physical Veloxity presence (offices, data centers, etc.).
- Report any discoveries to Veloxity (see How to Contact Us) and allow us adequate time to address it before making a public disclosure.
What Is In-Scope
The following is a list of in-scope domains. Any Veloxity-controlled domain that is not listed below is implicitly out-of-scope.
- The www.veloxity.com website is in-scope. The login flow is performed on the website, and so is open to scrutiny. Do keep in mind that attempting to login to an account that is not owned/controlled by the researcher is a violation of the instructions laid out above.
- Any app subdomain owned/controlled by the researcher is in-scope. When an account is created, a unique subdomain is created for the app. This subdomain is considered in-scope.
Any research activities that stay within the parameters of the provided instructions will be considered by Veloxity to be acceptable conduct and will not result in legal action initiated by Veloxity against the researcher.
If you are uncertain if an activity falls under acceptable conduct as per the provided instructions, contact Veloxity before performing the activity.
How to Contact Us
Discoveries are to be reported to the [email protected] email address. Please include the following details within the report:
- The words “Veloxity Security Vulnerability” somewhere in the email subject.
- A description of the vulnerability, including what you think the potential impact is.
- A detailed set of steps to recreate the vulnerability.
- Optionally, your name or other contact information.
We should respond via email with an acknowledgement of your report within seven days.
We will then assess the validity and impact of the reported vulnerability. We will contact you again after this assessment.
If it is determined that the vulnerability needs to be patched, the patch will be created and pushed out within 30 days of the completion of the assessment.