Vulnerability Disclosure Policy

Effective date: April 1, 2026

Last updated: July 18, 2026

We welcome good-faith reports of security vulnerabilities. If you believe you have found a vulnerability in Verifex, please report it to us so we can investigate and remediate it.

How to report

Email hello@verifex.dev with enough detail for us to reproduce and assess the issue — steps to reproduce, affected endpoints or pages, and any relevant proof-of-concept. We prioritise reports involving account access, API keys, tenant isolation, or data exposure.

Allowed testing

  • Good-faith testing against your own account and data.
  • Investigating and reporting a suspected vulnerability without exploiting it further than necessary to demonstrate it.

Prohibited activity

  • Destructive testing, including deleting, modifying, or corrupting data.
  • Accessing, altering, or exfiltrating other users' or third parties' data.
  • Denial-of-service or resource-exhaustion attacks.
  • Social engineering of our staff, contractors, or users.
  • Public disclosure before a reasonable remediation window has passed and we have confirmed a fix.

Rewards

We do not currently operate a paid bug bounty. There is no monetary reward for reports.

Our response

We aim to acknowledge reports and provide an initial assessment promptly, and to keep you informed as we remediate. These acknowledgement and response targets are goals, not a contractual service-level agreement.

See also our Security page and security.txt.