Responsible Disclosure

We rely on the security community to keep vumyo and its customers safe. If you find a vulnerability, this page tells you how to report it and what we commit to in return.

Scope

In scope: anything reachable from vumyo.com, the API and app origins, vumy.net, or any subdomain operated by VUMY Technologies.

Out of scope

• Denial-of-service or volumetric attacks.
• Social-engineering of VUMY Technologies employees, contractors, or customers.
• Physical attacks on VUMY Technologies offices or infrastructure.
• Reports based solely on the absence of standard headers without proof of impact.
• Reports that require active malicious user participation (you must hold both ends of the attack).

Safe harbor

Good-faith security research, conducted in scope, is authorized under this policy. We will not pursue legal action under the CFAA, DMCA, or analogous laws against researchers who:

• Make a good-faith effort to avoid privacy violations and degradation of services.
• Only access the minimum data necessary to demonstrate the vulnerability.
• Do not exploit, modify, or destroy customer data.
• Give us a reasonable disclosure window before public release (90 days default).
• Report the issue to us via the channel below.

How to report

Email security@localhost with a clear description of the vulnerability, reproduction steps, and the impact. Encrypt sensitive PoCs with our PGP key (published at /.well-known/security.txt when available).

What you'll get back

• Acknowledgement within 2 business days.
• Triage and severity classification within 5 business days.
• Status updates as we work on the fix.
• Public credit in our monthly transparency post (with your consent).

Bounty

A formal bug-bounty program is on the roadmap. Until then, we send a handwritten note and (for high-impact issues) a discretionary thank-you.