Last updated: 3 February 2024
Important: As of 5 February 2024, we have paused our bug bounty program until further notice. We are currently reviewing our internal processes and report classification. We intend to re-open our bug bounty some time in 2024.
For reports made on or after 5 February 2024, we will not be providing financial rewards at this time.
Read below to learn more. Our Vulnerability Disclosure Program remains active and we support responsible disclosure of any findings.
If you believe you've discovered a security vulnerability in Vero's platform please report it at firstname.lastname@example.org. We request that you do not publicly disclose reports that you have found without our permission.
When conducting research:
We understand the effort and work that goes into security research. We are grateful for any reports from researchers.
Unless noted below (in "Out of scope"), the follow
subdomains are in scope:
You can signup for a free trial accounts of our products at https://app.getvero.com/signup and https://connect.getvero.com/signup.
Important: when signing up for a trial please use an email address with one of the following domains:
@wearehackerone.com (Please note we do not have a
formal HackerOne program at this time.)
@bugcrowdninja.com (Please note we do not have a
formal BugCrowd program at this time.)
Reports against domains other than
https://*.getvero.com are out of scope.
Reports against these subdomains/paths are also out of scope:
We classify reports using a P1 (most severe) to P5 (least severe) rating system. The value of the reward will depend on the severity of the vulnerability and it's potential impact to our business.
When researching vulnerabilities you must use your own test Vero accounts (not customer accounts or any other account). We ask that you undertake any investigation responsibly and do not:
In order to receive a reward you must be the first to report a vulnerability. We do not reward duplicate findings.
The following categories of report are also out of scope (they are known or have been reported):
Any report that fails to comply with any of the above will be disqualified.