Security policy
Vulkro is a security tool, and we hold our own software to the standard we help our users meet. If you have found a vulnerability in the Vulkro binary, the license-issuing infrastructure, the website, or our CDN, we want to hear from you, and we will work the issue with you in good faith.
Security contact
- Email: [email protected]
- Machine-readable contact:
/.well-known/security.txt(RFC 9116)
Please send vulnerability reports to [email protected], not to
the public support, billing, or sales inboxes.
What to include
A good report helps us reproduce and fix the issue quickly:
- A clear description of the vulnerability and its impact.
- The exact version (
vulkro --version) and platform. - Step-by-step reproduction, ideally with a minimal proof of concept.
- Any logs, output, or crash traces, with secrets redacted.
If you need to send sensitive details, say so in your first email and we will arrange an encrypted channel.
Coordinated disclosure
We follow a coordinated-disclosure model:
- Report privately. Email
[email protected]first. Please do not open a public issue, post the details on social media, or disclose publicly before a fix is available. - We acknowledge. We confirm receipt and begin triage (see the response commitment below).
- We investigate and fix. We assess severity, develop a fix, and prepare a release. We will keep you updated on progress.
- We coordinate the announcement. We agree on a disclosure timeline with you. Our default target is to ship a fix within 90 days of a valid report, sooner for high-severity issues. Once a fix has shipped, the advisory is recorded in the changelog.
- We credit you. With your permission, we credit the reporter in the advisory.
Response commitment
| Stage | Our commitment |
|---|---|
| Acknowledge receipt | Within 2 business days |
| Initial severity assessment | Within 5 business days |
| Status update cadence | At least every 10 business days until resolved |
| Target fix window | Within 90 days; expedited for high-severity issues |
Safe harbour
We will not pursue or support legal action against researchers who:
- Make a good-faith effort to follow this coordinated-disclosure policy.
- Avoid privacy violations, data destruction, and service degradation.
- Only interact with accounts and machines they own or have explicit permission to test.
This is research-friendly by design. If you are acting in good
faith and you are unsure whether an action is in scope, ask first
at [email protected].
Out of scope
To keep signal high, the following are generally not treated as security vulnerabilities on their own:
- Reports from automated scanners with no demonstrated impact.
- Missing best-practice HTTP headers on static marketing pages with no exploit path.
- Social-engineering, physical, or denial-of-service testing against our infrastructure.
When in doubt, report it and let us decide. We would rather receive a borderline report than miss a real issue.
See also: Trust and security architecture, Privacy policy, security.txt.