Reporting a security issue
Responsible disclosure, PGP key, and our triage SLA.
2 min read
We take security disclosures seriously. Email security@vintonyhost.com with a clear description of the issue and reproduction steps; encrypt to our PGP key if the issue is sensitive.
Our triage SLA: within 24 hours we acknowledge receipt and assign a severity. Critical issues (RCE, auth bypass, data exposure) are typically fixed in production within 72 hours. Medium issues within 14 days. Low issues during the next monthly maintenance window.
Bug-bounty payouts are case-by-case; we publicly acknowledge responsible reporters on our security page with permission. We do not pursue legal action against good-faith researchers who follow our disclosure policy.
Out of scope: social-engineering attacks against our support team, denial-of-service testing (we'll co-ordinate; do not run without prior approval), and physical attacks against our facilities.