Responsible disclosure to CVD Portal
We run a vulnerability disclosure platform. We hold ourselves to the same standards we build into the product. This page is our own coordinated disclosure policy.
Include reproduction steps, affected URL, impact, and any proof-of-concept. We accept PGP-encrypted reports — fingerprint and key published alongside this policy once rotation lands.
RFC 9116 compliant. Policy expires 17 April 2027; we re-sign and publish a refreshed version before that date.
In scope
- +cvdportal.com and app.cvdportal.com
- +Tenant whitelabel portals hosted on *.cvdportal.com
- +Public APIs documented at /docs and /api
- +Authentication, session, and billing flows
- +Any code published in our public GitHub organization
Out of scope
- −Denial-of-service, volumetric, or rate-limit testing against production
- −Social engineering of CVD Portal employees, contractors, or vendors
- −Physical attacks against our infrastructure or offices
- −Findings from automated scanners without a working proof-of-concept
- −Missing security headers or best-practice hardening without a demonstrable impact
- −Self-XSS, reports requiring a fully compromised victim device, or theoretical issues without exploit paths
- −Third-party services we use (Stripe, Resend, Cloudflare) — report those upstream
Response commitments
| Severity | Acknowledgment | Triage | Remediation |
|---|---|---|---|
| critical | within 24 hours | within 72 hours | targeted within 14 days |
| high | within 48 hours | within 5 business days | targeted within 30 days |
| medium | within 5 business days | within 10 business days | targeted within 90 days |
| low | within 5 business days | within 30 days | next scheduled release |
Severity follows CVSS 3.1. If a report spans multiple severities, we apply the highest. These are targets, not contractual SLAs — delays will be communicated with a revised timeline.
Safe harbor
We will not pursue civil or criminal action, or take adverse steps with law enforcement, against researchers who act in good faith and within the boundaries below.
- ·Make a good-faith effort to avoid privacy violations, service disruption, and data destruction.
- ·Only interact with accounts you own or for which you have explicit written permission.
- ·Do not access, modify, or exfiltrate more data than necessary to demonstrate the issue.
- ·Give us a reasonable window to remediate before any public disclosure (minimum 90 days, extended by mutual agreement for complex issues).
- ·Do not use findings to harm CVD Portal, our customers, or their reporters.
We do not operate a paid bug bounty at this time. We recognize contributors on a public acknowledgments list at their request.
Reports about a tenant portal
If the vulnerability is in a product or service made by a company that uses CVD Portal to receive reports (e.g. company.cvdportal.com), submit it directly to that company's portal. That is exactly what this platform is for. Contact us only if the report concerns CVD Portal itself, or if a tenant portal is unreachable and you cannot reach the tenant through other channels.
Last updated 17 April 2026. Policy version tracked at /.well-known/security.txt. Questions about this policy: /contact.