New things! 📣 Product updates August 2023. Learn more →

Terms and policies

Vulnerability Disclosure Program

Last updated: 15 August 2023

Please note: We are pausing our program between 15 August 2023 and 1 October 2023. We are taking this period to address previous reports.

During this period we will review all reports but will not respond or reward bounties until 1 October 2023. All reports between now and 1 October 2023 WILL be considered for reward. All reports will be reviewed in the order they are received to ensure the first reporters are rewarded.

Your report will be recorded and assigned a unique number.

We want to thank the community: we have received some great reports since starting our VDP program!

If you believe you've discovered a bug in Vero's security please report it at dataprivacy@getvero.com. Our team will respond promptly acknowledging and will work to classify it in line with the below. We request that you do not publicly disclose issues you have found.

We understand the effort and work that goes into security research. We are grateful for any reports from researchers and, to show our thanks, we operate a reward program for responsibly disclosed vulnerabilities. A minimum reward of USD$75 may be provided for disclosures that meet the following eligibility criteria:

  • You must be the first to report the vulnerability.
  • You must not have compromised (or attempted to compromise) the privacy of our customers and their users.
  • You must not have publicly disclosed the vulnerability.

We classify reports using a P1 (most severe) to P4 (least severe) rating system. The value of the reward will depend on the severity of the vulnerability.

When researching vulnerabilities you must use your own test Vero accounts (not customer accounts or any other account). We ask that you undertake any investigation responsibly and do not:

  • Access Vero customers' data.
  • Negatively impact Vero customers and their users (for example, by sending spam or making social engineering or phishing attempts).
  • Take any actions that result in a denial of service of the Vero system.

Any report that fails to comply with any of the above will be disqualified. You must also comply with all applicable laws when researching vulnerabilities.

In scope

The following domains are in scope: https://*.getvero.com.

You can signup for a free trial accounts of our products at https://app.getvero.com/signup and https://connect.getvero.com/signup.

Please note: when signing up for a trial please use an email address with one of the following domains:

  • @wearehackerone.com
  • @bugcrowdninja.com
  • @maildrop.cc
  • @guerrillamail.com

Out of scope

Reports against domains other than https://*.getvero.com are out of scope. Reports against these subdomains are also out of scope:

  • feedback.getvero.com
  • developers.getvero.com
  • help.getvero.com

Reports against these subdomains/paths are also out of scope:

  • feedback.getvero.com
  • developers.getvero.com
  • help.getvero.com
  • status.getvero.com
  • www.getvero.com/demo

The following categories of report are also out of scope (they are known or have been reported):

  • XSS vulnerabilities
  • Related to SPF records
  • Related to DMARC records
  • Missing Content-Security-Policy header
  • Missing Certificate Authority Authorization
  • Lack of rate limiting reports
  • Denial of Service attacks
  • Open-redirect via response manipulation reports