Vulnerability Disclosure Policy

Last updated: April 2026

At Valpero, security is a core part of how we build and operate our service. We welcome responsible disclosure of security vulnerabilities and take all reports seriously.

Report a vulnerability Send your report to [email protected]. Please encrypt sensitive findings using our PGP key (available on request). We aim to respond within 48 hours.

Scope

The following are in scope for this policy:

valpero.com and all subdomains (api.valpero.com, status.valpero.com, etc.)
Valpero web application and REST API
Authentication and session handling
Data exposure or unauthorized access to user data

The following are out of scope:

Denial-of-service (DoS / DDoS) attacks
Social engineering or phishing attacks against Valpero staff or users
Physical security issues
Vulnerabilities in third-party software not directly under our control
Issues that require unlikely user interaction or already-compromised devices
Missing security headers without demonstrated impact

What we ask of you

Give us reasonable time to investigate and fix the issue before public disclosure (we ask for at least 90 days).
Do not access or modify data belonging to other users.
Do not disrupt production systems or degrade service for other users.
Do not perform automated scanning beyond what is needed to confirm the vulnerability.
Provide a clear and reproducible proof-of-concept when possible.

What we commit to

Acknowledge your report within 48 hours.
Keep you informed of our progress throughout the remediation process.
Credit you in our release notes (if you wish) once the issue is resolved.
Not pursue legal action against researchers acting in good faith under this policy.

Safe harbor

We consider security research conducted under this policy to be authorized. We will not initiate legal action against you for good-faith security research. If a third party initiates legal action against you for research conducted in accordance with this policy, we will make it known that your actions were taken in compliance with our policy.

Rewards

We currently do not operate a paid bug bounty program. However, we genuinely appreciate the effort of security researchers and will acknowledge significant findings publicly (with your permission) and may offer extended Pro access as a thank-you.

PGP available Encrypted reporting For sensitive vulnerabilities, you can request our PGP public key by emailing [email protected] before submitting your report.