Responsible disclosure
Report a vulnerability privately and give us a fair chance to protect customers. We will treat good-faith research with respect.
How to report
Email security@veillo.eu with the affected URL or feature, impact, reproduction steps, and any request or response evidence that does not contain another person’s data. Plain text is fine. We acknowledge a useful report as soon as practical and aim to give an initial assessment within five business days.
In scope
- Veillo domains, public APIs, authentication, authorisation, tenant separation, and production application code;
- cross-site scripting, request forgery, injection, insecure direct object references, token exposure, and meaningful security-header bypasses;
- demonstrable exposure of personal data or confidential customer records.
Out of scope
- automated scans without a demonstrated impact, missing best-practice headers already documented on the security page, or version banners;
- denial of service, traffic flooding, password spraying, social engineering, phishing, physical testing, or attacks on staff and vendors;
- issues in a third-party service that do not expose Veillo data or create a Veillo vulnerability;
- testing another customer’s account or data.
Rules for testing
Use accounts and data you control. Keep requests to the minimum needed to prove the issue. Stop if you encounter personal data, secrets, or another customer’s workspace, and report what happened without copying further material. Do not persist access, alter data, interrupt service, or make the issue public before remediation and a coordinated disclosure date.
Safe harbour
When you act in good faith, follow this policy, avoid harm, and report promptly, we will not pursue legal action against you for the research. If a third party starts legal action, we will make clear that your work followed this policy. This safe harbour does not authorise conduct that is illegal, destructive, or outside the scope above.
Recognition and rewards
We do not currently operate a paid bug-bounty programme. With your permission, we can credit a valid report after remediation. Please do not make payment a condition of disclosure.