Vareto maintains a Responsible Disclosure Policy (RDP) scoped to particular assets as identified below. You can contact us for more information or to report vulnerabilities firstname.lastname@example.org.
Vareto’s Responsible Disclosure Policy covers the following products:
- Vareto’s core platform, including the Vareto web application (app.vareto.com) and public APIs
The scope of this policy may expand in the future as we add additional product capabilities and gain experience with this process.
Vareto will not engage in legal action against individuals who submit vulnerability reports to email@example.com in accordance with this policy. We openly accept reports for the Vareto products identified above. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Vareto or its customers.
- Engage in vulnerability testing within the scope of our responsible disclosure policy.
- Adhere to the laws of their location and the location of Vareto.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Submitting a vulnerability
Submit vulnerability reports to Vareto’s Product Security Team via firstname.lastname@example.org.
Report Prioritization and Acceptance Criteria
Preference will be given to reports that meet the following criteria:
- Well-written reports in English will have a higher probability of resolution
- Proof-of-concept code is provided when applicable
- Reports that include only crash dumps or other automated tool output may receive lower priority
- Reports that include products not on the initial scope list may not be considered
- Include how you found the bug, the impact, and any potential remediation
- Please include any plans or intentions for public disclosure
What you can expect from Vareto:
- A timely response to your email (within 2 business days)
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it
- An open dialog to discuss issues
- Credit after the vulnerability has been validated and fixed
Vareto reserves the right to use a neutral third party to assist in determining how best to handle the vulnerability.