Responsible disclosure

Bug bounty program

We pay for serious security findings reported in good faith. This page describes scope, severity tiers, and how to submit.

How to report

Email security@vintonyhost.com with a clear description, reproduction steps, and proof-of-concept code. For sensitive issues, encrypt to our PGP key (available on request from the same address — published key fingerprint on the security page).

We acknowledge within 24 hours, assign severity within 72 hours, and target the following remediation SLAs:

• Critical: production fix within 72 hours.
• High: fix within 14 days.
• Medium / Low: next monthly maintenance window.

Reward tiers

Severity	Example findings	Reward
Critical	Remote code execution, full auth bypass, mass-account takeover	$1,000–$5,000
High	IDOR with sensitive data exposure, SSRF to internal, privilege escalation	$500–$1,000
Medium	Stored XSS, CSRF on sensitive action, sensitive info disclosure	$100–$500
Low	Self-XSS, missing security header on non-sensitive route, version disclosure	Hall-of-fame credit

Final reward is at our discretion based on severity, exploitability, and report quality. Duplicates and known issues are not eligible. We reserve the right to adjust over time.

In scope

Findings against these are eligible.

vintonyhost.com (main marketing + dashboard)
api.vintonyhost.com (when live)
Customer-facing email flows: signup, login, 2FA, reset, magic link
Customer dashboards and admin panels (after explicit scope-grant)

Out of scope

Don't run these without prior agreement.

Denial-of-service attacks (do not run without prior approval)
Social-engineering attacks against staff or customers
Physical attacks against our facilities
Spam or volumetric attacks against email infrastructure
Findings in third-party services (Resend, Stripe, Supabase, Cloudflare) — report to them directly

Safe-harbour

We do not pursue legal action against good-faith researchers who follow this disclosure policy and do not damage user data or service availability.

Report a finding