Last updated: 15 August 2023
Please note: We are pausing our program between 15 August 2023 and 1 October 2023. We are taking this period to address previous reports.
During this period we will review all reports but will not respond or reward bounties until 1 October 2023. All reports between now and 1 October 2023 WILL be considered for reward. All reports will be reviewed in the order they are received to ensure the first reporters are rewarded.
Your report will be recorded and assigned a unique number.
We want to thank the community: we have received some great reports since starting our VDP program!
If you believe you've discovered a bug in Vero's security please report it at firstname.lastname@example.org. Our team will respond promptly acknowledging and will work to classify it in line with the below. We request that you do not publicly disclose issues you have found.
We understand the effort and work that goes into security research. We are grateful for any reports from researchers and, to show our thanks, we operate a reward program for responsibly disclosed vulnerabilities. A minimum reward of USD$75 may be provided for disclosures that meet the following eligibility criteria:
We classify reports using a P1 (most severe) to P4 (least severe) rating system. The value of the reward will depend on the severity of the vulnerability.
When researching vulnerabilities you must use your own test Vero accounts (not customer accounts or any other account). We ask that you undertake any investigation responsibly and do not:
Any report that fails to comply with any of the above will be disqualified. You must also comply with all applicable laws when researching vulnerabilities.
The following domains are in scope:
You can signup for a free trial accounts of our products at https://app.getvero.com/signup and https://connect.getvero.com/signup.
Please note: when signing up for a trial please use an email address with one of the following domains:
Reports against domains other than
https://*.getvero.com are out of scope. Reports against
these subdomains are also out of scope:
Reports against these subdomains/paths are also out of scope:
The following categories of report are also out of scope (they are known or have been reported):