Skip to content
Vekora Docs

Bug Bounty Policy

Introduction

Section titled “Introduction”

At Vekora, security is a top priority. We recognize the vital role that the security research community plays in keeping our Platform as a Service (PaaS) secure. This policy outlines the guidelines for reporting vulnerabilities in our infrastructure and the terms under which we accept these reports. For a comprehensive overview of our security posture, please refer to our Security Policy.

Scope

Section titled “Scope”

In-Scope

Section titled “In-Scope”

Target systems for this policy include strictly the infrastructure and services owned and operated by Vekora:

  • Core Platform API: api.yourdomain.com
  • Web Dashboard/Console: console.yourdomain.com
  • CLI Tooling: Official command-line interface distributions.
  • Documentation Portal: docs.yourdomain.com

Out-of-Scope

Section titled “Out-of-Scope”
  • Customer Applications: Applications, databases, or code hosted by our customers on our PaaS are strictly out of scope unless the vulnerability leads to a sandbox escape or platform-level compromise.
  • Third-Party Vendors: Services provided by vendors listed in our Subprocessor List. Please do not test our vendors directly without their authorization.
  • Marketing Pages: Static landing pages hosted on third-party CMS platforms.

Safe Harbor

Section titled “Safe Harbor”

We consider security research to be a “good faith” activity. We will not pursue legal action against you or suspend your account if you:

  • Comply with this policy.
  • Comply with our Terms of Service and Acceptable Use Policy (specifically regarding non-disruption of services).
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Reporting Guidelines

Section titled “Reporting Guidelines”

Please submit vulnerability reports to security@vekora.dev.

  • Include a Proof of Concept (PoC) and clear steps to reproduce the issue.
  • We will acknowledge receipt within 3 business days.
  • We aim to triage and confirm vulnerabilities within 7 business days.

Rules of Engagement & Exclusions

Section titled “Rules of Engagement & Exclusions”

While we encourage deep inspection of our platform, the following activities are strictly prohibited. Violations of these rules may also constitute a breach of our Acceptable Use Policy:

  1. DoS/DDoS: Denial of Service attacks of any kind.
  2. Social Engineering: Phishing employees, support staff, or customers.
  3. Physical Security: Attacks against our offices or data centers.
  4. Data Privacy: You must not intentionally access, modify, or download data belonging to others. If you encounter user data, stop immediately and report the vulnerability. The handling of personal data is strictly governed by our Privacy Policy and Data Processing Agreement (DPA); accessing such data without authorization violates these agreements.

Rewards

Section titled “Rewards”

We may offer rewards for confirmed vulnerabilities based on severity and impact.

  • Rewards are granted entirely at our discretion.
  • You are responsible for any tax implications associated with the reward.
  • We do not offer rewards for low-severity issues (e.g., missing security headers without a clear exploit vector) or issues already covered in our SLA (e.g., temporary uptime degradation).