Vulnerability Disclosure Policy

Vulnerability Disclosure Policy - Bug Bounty Program

At Velory, we take security seriously. The trust of our customers depends on the security and integrity of our platform. We invite responsible security researchers to help us identify vulnerabilities and improve our defenses.

‍

Guidelines

We are particularly interested in findings such as:

  - Authentication and authorization bypasses

  - Cross-tenant data access

  - Privilege escalation

  - Injection vulnerabilities (SQL, XSS, SSRF)

  - Insecure direct object references

‍

Make every effort to avoid privacy violations, service disruption, or destruction of data. Only test against accounts you own or accounts explicitly authorized for testing. Provide enough details to allow us to reproduce and validate the issue quickly. Do not publicly disclose any vulnerability without our prior written consent. Do not access, modify, or delete data belonging to other users. Do not use automated scanners in a way that degrades service for other users. We will investigate all legitimate reports and do our best to fix issues quickly. We are committed to being transparent and respectful throughout this process.
‍

Out of Scope

  - Social engineering attacks such as phishing employees

  - Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks

  - Automated scanning causing service disruption

  - Vulnerabilities in outdated browsers or unsupported platforms

  - Self-XSS or issues requiring unlikely user interaction

  - Missing security headers without a demonstrable exploit

  - SPF, DKIM, or DMARC configuration suggestions

  - Rate limiting on all endpoints

  - Best practice recommendations without a demonstrable security impact

  - Clickjacking on pages with no sensitive actions

  - CSV injection

  - Missing cookie flags on non-sensitive cookies

  - Software version disclosure without a working exploit

  - Best Practices

‍

Rewards

While Velory is a growing company and cannot offer large financial rewards, we do offer a small discretionary bounty for valid, previously unknown critical or high severity issues. Public acknowledgment of our Security Hall of Fame if desired. Rewards are determined based on the severity, impact, and quality of the report.

‍

How to Report

Please send your findings to security@velory.com. Include a detailed description of the vulnerability, steps to reproduce, and any relevant screenshots, logs, or proof of concept code. We aim to respond within 5 business days and will keep you updated throughout the investigation.

‍

Thank you for helping us build a safer Velory.