Responsible Disclosure Policy
Last updated: March 28, 2026How to Report a Vulnerability
Please send your findings to security@veroskills.com. Include as much of the following as you can:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue or proof-of-concept
- The affected URL, endpoint, or component (if applicable)
- Your name and contact information (if you'd like to be credited)
What to Expect
| Step | Timeline |
|---|---|
| Acknowledgment of your report | Within 1 business day |
| Initial assessment and triage | Within 5 business days |
| Status update or resolution | Within 30 business days |
We may reach out for additional information or clarification during the process. We will notify you when the issue has been resolved.
Our Commitment (Safe Harbor)
If you conduct security research in good faith and in accordance with this policy, we consider your research to be:
- Authorized under applicable anti-hacking laws
- Exempt from DMCA restrictions related to circumventing security controls
- Exempt from any restrictions in our Terms of Service that would interfere with your research
We will not pursue legal action against researchers who act in good faith and comply with this policy.
We Ask That You
- Report vulnerabilities promptly after discovery
- Give us reasonable time to investigate and remediate before disclosing publicly
- Avoid accessing, modifying, or deleting data belonging to other users
- Avoid actions that degrade the availability or performance of our services (e.g., denial of service)
- Do not use automated scanning tools at scale against production systems without prior coordination
- Do not engage in social engineering, phishing, or physical attacks against our employees or facilities
- Do not test against accounts you do not own unless explicitly authorized
Out of Scope
The following are generally considered out of scope unless they demonstrate a clear and significant security impact:
- Reports from automated tools or scanners without a demonstrated exploit
- Missing security headers that do not lead to a demonstrable vulnerability
- Clickjacking on pages with no sensitive actions
- Self-XSS (cross-site scripting that only affects the reporter's own session)
- Email configuration issues (SPF, DKIM, DMARC) without a demonstrated exploit
- Rate limiting or brute force issues on non-authentication endpoints
- Vulnerabilities in third-party services or dependencies we do not control
- Social engineering or phishing attacks
- Physical security issues
Recognition
We appreciate the contributions of security researchers who help keep our platform safe. With your permission, we are happy to:
- Acknowledge your contribution publicly on our security page
- Provide a reference or letter confirming your responsible disclosure
VeroSkills does not currently operate a paid bug bounty program.
Scope
This policy applies to all systems and services operated by VeroSkills, including:
- veroskills.com and all subdomains
- Public-facing APIs
Third-party services hosted on our behalf (e.g., SaaS tools, payment processors) are not in scope. If you're unsure whether a system is in scope, contact us at security@veroskills.com before testing.
Found a vulnerability? We want to hear from you.
Reach out directly and we'll respond within 1 business day.