📣 Product updates December 2023. Learn more →
Vero logo

Vulnerability Disclosure Program

Last updated: 3 February 2024

Important: As of 5 February 2024, we have paused our bug bounty program until further notice. We are currently reviewing our internal processes and report classification. We intend to re-open our bug bounty some time in 2024.

For reports made on or after 5 February 2024, we will not be providing financial rewards at this time.

Read below to learn more. Our Vulnerability Disclosure Program remains active and we support responsible disclosure of any findings.

If you believe you've discovered a security vulnerability in Vero's platform please report it at dataprivacy@getvero.com. We request that you do not publicly disclose reports that you have found without our permission.

When conducting research:

  • You must not compromise (or attempt to compromise) the data of our customers and their users.
  • You must not publicly disclosed the vulnerability.
  • You must comply with all applicable laws when researching vulnerabilities.

We understand the effort and work that goes into security research. We are grateful for any reports from researchers.

In scope

Unless noted below (in "Out of scope"), the follow subdomains are in scope: https://*.getvero.com.

You can signup for a free trial accounts of our products at https://app.getvero.com/signup and https://connect.getvero.com/signup.

Important: when signing up for a trial please use an email address with one of the following domains:

  • @wearehackerone.com (Please note we do not have a formal HackerOne program at this time.)
  • @bugcrowdninja.com (Please note we do not have a formal BugCrowd program at this time.)
  • @maildrop.cc
  • @guerrillamail.com

Out of scope

Reports against domains other than https://*.getvero.com are out of scope.

Reports against these subdomains/paths are also out of scope:

  • feedback.getvero.com
  • releasenotes.getvero.com
  • developers.getvero.com
  • help.getvero.com
  • status.getvero.com
  • drops.getvero.com
  • www.getvero.com/demo

Bug bounty

We classify reports using a P1 (most severe) to P5 (least severe) rating system. The value of the reward will depend on the severity of the vulnerability and it's potential impact to our business.

When researching vulnerabilities you must use your own test Vero accounts (not customer accounts or any other account). We ask that you undertake any investigation responsibly and do not:

  • Access Vero customers' data.
  • Negatively impact Vero customers and their users (for example, by sending spam or making social engineering or phishing attempts).
  • Take any actions that result in a denial of service of the Vero system.

In order to receive a reward you must be the first to report a vulnerability. We do not reward duplicate findings.

The following categories of report are also out of scope (they are known or have been reported):

  • XSS vulnerabilities
  • Related to SPF records
  • Related to DMARC records
  • Missing Content-Security-Policy header
  • Missing Certificate Authority Authorization (CAA)
  • Lack of rate limiting reports
  • Denial of Service attacks (DoS)
  • Open-redirect via response manipulation reports
  • Javascript libraries behind the latest version
  • TLS/SSL-related vulnerabilities (e.g. CRIME, Heartbleed, etc.)

Any report that fails to comply with any of the above will be disqualified.