Skip to content
Trust · Responsible Disclosure

Responsible Disclosure Policy

Last updated · May 2026

Vexocore IT Services Pvt. Ltd. welcomes security research. If you have found a vulnerability in vexocore.io or any service we operate, this page tells you how to report it safely and what to expect from us.

1. How to report

2. Scope

In scope:

  • vexocore.io and its subdomains
  • APIs documented at /docs
  • Authentication and account-management flows

Out of scope:

  • Third-party services (Supabase, Cloudflare, Resend, Vercel, Hostinger) — report directly to them
  • Denial-of-service, brute-force, automated scanners
  • Social engineering of staff or customers
  • Physical attacks
  • Issues already reported by another researcher
  • Best-practice or hardening suggestions without a working PoC

3. Our commitments

  • Acknowledge your report within 3 business days
  • Triage and assign severity within 10 business days
  • Keep you informed about fix progress and timelines
  • Credit you publicly on /trust (with your consent)
  • Operate in good faith — we will not pursue legal action against researchers who follow this policy

4. Safe harbor

We consider good-faith security research that follows this policy to be authorized testing under the Indian IT Act and analogous global laws (CFAA in the US, CMA in the UK). We will not initiate legal action against you for accidental, good-faith violations of this policy. We will not request takedown of your research write-up, provided it does not disclose personal data of others.

5. What we ask of you

  • Make a good-faith effort to avoid privacy violations, data destruction, and service degradation
  • Only access accounts, data, or systems necessary to demonstrate the issue
  • Give us reasonable time to remediate before public disclosure (we suggest 90 days)
  • Do not exploit the issue beyond proof-of-concept
  • Do not extort, threaten, or demand payment

6. Rewards

We do not currently run a paid bug bounty program. We acknowledge meaningful reports with public credit, swag, and a written letter of appreciation. We are considering a formal program for 2027 — subscribe to /trust updates for announcements.

7. Out-of-band contact

If you cannot reach us by email, file a private security advisory on our GitHub organization or send a DM to a Vexocore engineer on LinkedIn. Do not post vulnerability details to public channels.

Questions about this policy? Write to security@vexocore.io.