Report a Security Vulnerability

This document serves as a guideline for the responsible reporting and disclosure of security vulnerabilities in v4Guard products and services.

Introduction

v4Guard appreciates all efforts to improve the security of our products and services. We are committed to addressing any potential vulnerabilities that are reported to us by well-intentioned and ethical security researchers. We consider it our responsibility to respond to security issues with transparency and urgency.

Scope and Guidelines

  • This policy applies to all v4Guard products and services in scope.
  • Any vulnerability that affects the confidentiality, integrity, or availability of user data or the correct operation of v4Guard products and services is in scope.
  • Any v4Guard Sensor pod is not in scope, as they are designed to be vulnerable. If you think the vulnerability is not a simulated one, please report it to us.
  • The following domains and subdomains are in scope:
    1. v4guard.io
    2. dashboard.v4guard.io
    3. connector.v4guard.io
    4. cdn.v4guard.io
    5. v4guard.me
    6. *.v4guard.me
    If you're unsure a vulnerability is in scope, please contact us at security@v4guard.io before proceeding.
  • Only demonstrable vulnerabilities are considered in scope. The vulnerability must be reproducible and not rely on social engineering; it must be exploitable.
  • We require you to not disclose the vulnerability until we have had a reasonable time to address it.
  • We require you not to engage in any activity that may harm v4Guard, its users, or related third parties. You must follow applicable laws while investigating.
  • We appreciate your good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

Bug Bounty

Unfortunately, we do not offer a paid bug bounty program at this time. However, we may consider offering a token of appreciation for any vulnerability that is reported to us and is deemed to be within the scope and follow this policy.

However, although we do not have a paid program, we want to recognize the work of those security researchers who helped make v4Guard more secure and reported vulnerabilities in a responsible way through our Hall of Fame.

There are no security researchers here yet.

Reporting a Security Vulnerability

We appreciate and encourage security researchers to report any security vulnerabilities found in our products and services in a responsible way. If you believe you have discovered a security vulnerability, we request that you follow these guidelines:

  • Please ensure the confidentiality of the vulnerability and do not disclose it publicly until we have had a chance to review and address it.
  • Report the vulnerability to us immediately after discovery by sending an email to security@v4guard.io.
  • Provide a detailed description of the vulnerability and any steps required to reproduce it.
  • If applicable, include any proof-of-concept or exploit code used.

Guidance

When security researchers are investigating a potential vulnerability, they must not:

  • Access data beyond what is required to demonstrate or confirm a vulnerability, collecting an excessive amount of information.
  • Violate the privacy of our users, third parties, or internal systems, including but not limited to, access to or exfiltration of data, or disruption or degradation of our services.
  • Modify or destroy data on our systems that is not your own.
  • Communicate or disclose any vulnerabilities in v4Guard products or services to third parties or the public before we confirm that those vulnerabilities have been addressed and completely mitigated. v4Guard must give consent in order to disclose any vulnerability.

In the event that some data was required to be retrieved during the investigation to confirm or demonstrate the vulnerability, the researcher must securely delete it as soon as it is no longer required and at most 30 days after the vulnerability is confirmed to be resolved.

Also, the security researcher must inform v4Guard of the data that was retrieved and confirm that it was securely deleted.

If you're unsure of any of the above, please contact us at security@v4guard.io for clarification and guidance.

This policy is crafted in line with widely accepted best practices adhered to by ethical security researchers. However, it does not grant authorization to engage in any activities that contravene the law or result in v4Guard violating any legal obligations, including but not limited to those outlined in relevant laws within Spain and the European Union.

This includes compliance with:

  • General Data Protection Regulation (GDPR): Ensuring that all data processing activities related to vulnerability reporting comply with GDPR regulations, protecting the privacy and rights of individuals.
  • Computer Misuse Act: Abiding by the provisions of the Computer Misuse Act which cover unauthorized access to computer material and unauthorized acts with intent to impair the operation of a computer.
  • Copyright and Intellectual Property Laws: Respecting copyright laws and intellectual property rights, refraining from any unauthorized use, reproduction, or distribution of copyrighted materials.
  • National and EU Cybersecurity Regulations: Adhering to any specific national and EU regulations related to cybersecurity and data protection, ensuring that reporting vulnerabilities does not violate any legal requirements.

Adherence to these laws and regulations is imperative. Any actions contrary to legal obligations will not be protected under this policy. If you have any doubts or concerns regarding the legality of your actions, it is essential to seek legal advice before proceeding.

v4Guard will not pursue legal action against security researchers who act in good faith and adhere to the guidelines outlined in this policy when investigating and reporting security vulnerabilities.