Reporting a Security Vulnerability

Security and reliability are critical components of VGS. So we welcome any input that helps us identify and eliminate vulnerabilities. Through this responsible disclosure policy, we hope to properly recognize your efforts to help us ensure the security of our customers.

Reporting Vulnerabilities

If you believe you have found a security vulnerability that could impact VGS or our users, we encourage you to let us know right away. Please notify us at security@verygoodsecurity.com. If possible, please include evidence as well as steps for reproducing the issue. We are committed to responding promptly.

If your report contains sensitive data, please use the public GPG key provided below to encrypt and email your findings to us.

To protect our users, please refrain from sharing information about any potential vulnerabilities with anyone outside of VGS. Once we have confirmed and mitigated the vulnerability we hope that you will join us in an announcement.

Finally, we ask that you follow our Vulnerability Disclosure Policy and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.


Reporting Vulnerabilities

When researching, please don't :

  • Spam us
  • DOS or DDOS us
  • Social engineer (including phishing) our staff or contractors

Privacy Policy / Security Practices

VGS' Privacy Policy: https://www.verygoodsecurity.com/privacy-notice

VGS' Security Statement: https://www.verygoodsecurity.com/docs/security/

What to Expect from VGS

If you follow these guidelines, we promise to:

  • Take all reported findings seriously
  • Respond to your email within 48 hours
  • Confirm and acknowledge any findings identified
  • Credit and thank you after vulnerabilities have been fixed
  • Depending on severity, publicly disclose reported vulnerabilities that we've remed

Safe Harbor

If you follow these guidelines, VGS pledges not to pursue or support any legal action related to your research.