security@cybervault.dev
We take security seriously. If you've discovered a vulnerability in our systems, we want to hear from you. This page outlines how to responsibly disclose security issues and our bug bounty program.
📬 How to Report a Vulnerability
Use one of the following channels to securely report a security concern. All reports are handled with strict confidentiality.
🔐 PGP Public Key
Use this key to encrypt sensitive communications. Key fingerprint: 4A2B 8C9D 1E3F 7A6B 5D4C 9E8F 2B1A 3C4D 6E5F 7A8B
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF7MqxEBEADHvN3qHk5T3vZ8YhGqE8K4p9L2N6mR1oX5sT3wU7vY9aB0cD1eF2gH3iI4jK5lM6nO7pQ8rS9tU0vW1xY2zA3bC4dE5fF6gG7hH8iI9jJ0kK1lL2mM3nN4oO5pP6qQ7rR8sS9tT0uU1vV2wW3xX4yY5zA6bB7cC8dD9eE0fF1gG2hH3iI4jJ5kK6lL7mM8nN9oO0pP1qQ2rR3sS4tT5uU6vV7wW8xX9yY0zA1bB2cC3dD4eE5fF6gG7hH8iI9jJ0kK1lL2mM3nN4oO5pP6qQ7rR8sS9tT0uU1vV2wW3xX4yY5zA6bB7cC8dD9eE0fF1gG2hH3iI4jJ5kK6lL7mM8nN9oO0pP1qQ2rR3sS4tT5uU6vV7wW8xX9yY0zA1bB2cC3dD4eE5fF6gG7hH8iI9jJ0kK1lL2mM3nN4oO5pP6qQ7rR8sS9tT0uU1vV2wW3xX4yY5z =ABCD -----END PGP PUBLIC KEY BLOCK-----
✅ In Scope
The following systems and services are covered under our responsible disclosure program.
| Asset | Status |
|---|---|
| cybervault.dev & subdomains | In Scope |
| API endpoints (api.cybervault.dev) | In Scope |
| Customer dashboard & portals | In Scope |
| Mobile applications (iOS & Android) | In Scope |
| Authentication & session management | In Scope |
| Cloud infrastructure (AWS/Azure) | In Scope |
| Third-party integrations we control | In Scope |
❌ Out of Scope
The following are not covered and should not be tested.
| Asset | Status |
|---|---|
| Customer-owned infrastructure | Out of Scope |
| Social engineering attacks | Out of Scope |
| DDoS / DoS attacks | Out of Scope |
| Availability / denial of service | Out of Scope |
| Third-party services we don't control | Out of Scope |
| Physical security issues | Out of Scope |
| Automated scanning tool reports | Out of Scope |
💰 Bug Bounty Rewards
We reward valid vulnerability reports based on severity and impact. Rewards are paid within 30 days of verification.
🎯 Bonus Multipliers
Reports that include a proof-of-concept exploit or affect multiple services may qualify for increased rewards. Zero-day vulnerabilities receive consideration up to $50,000 based on impact assessment.
📋 What to Include
To help us triage and resolve your report quickly, please include the following:
- Clear description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- Proof of concept (PoC) code or screenshots where applicable
- Affected URLs, endpoints, or components
- Your contact information (encrypted via PGP if preferred)
- Severity assessment and suggested CVSS score
- Any potential remediation suggestions
⚠️ Testing Guidelines
Please follow these guidelines when conducting security tests:
- Only test systems listed as in-scope
- Do not access, modify, or delete customer data
- Do not use automated tools that cause service disruption
- Do not test on production at high volume
- Report findings privately — no public disclosure until resolved
- Return or delete any sensitive data discovered
🚫 Strictly Prohibited
Any activity that causes service disruption, data destruction, or affects customer environments will result in immediate program termination and may be reported to law enforcement.
⏱️ Our Response Timeline
We are committed to timely communication throughout the vulnerability disclosure process.
🤝 Safe Harbor
Your participation in our responsible disclosure program is considered authorized activity, and we will not pursue legal action against you. We appreciate your help in making our services more secure.
📧 Communication
We'll keep you informed at each stage. You can request anonymity — we'll only use your name or handle with explicit permission for public acknowledgment.
🏆 Hall of Fame
Consistent contributors with multiple valid reports are invited to our Hall of Fame page and may receive exclusive access to new program features.
✉️ Submit a Vulnerability Report
Or use this form to send an encrypted report directly. All fields are processed securely.
❓ Frequently Asked Questions
Yes, absolutely. You can submit a report without providing your real name. We accept pseudonyms and burner email addresses. However, providing contact information helps us communicate effectively during the triage process.
We aim to acknowledge all reports within 24 hours. Critical and high-severity issues are escalated immediately to our incident response team, which operates 24/7. You'll receive regular updates throughout the resolution process.
Only with your explicit permission. If you'd like to be credited, we'll list your name or handle on our Hall of Fame page and in our public security reports. You can also request complete anonymity.
If a report is rejected, we'll provide a clear explanation of why. If you disagree with the decision, you can request a review by our senior security engineer. We treat all researchers with respect regardless of the outcome.
No. Only systems and services directly owned and operated by CyberVault are in scope. Third-party integrations, payment processors, CDN providers, and customer environments are explicitly out of scope. Testing these may violate their terms of service.
Rewards are paid via bank transfer, PayPal, or cryptocurrency (BTC/ETH) within 30 days of verification. For international payments, we may use Wise or other supported methods. Tax responsibilities are the researcher's obligation.