Security reporting policy
Last updated February 18, 2026
Use this policy to submit vulnerabilities responsibly and track expected response milestones from first report through remediation confirmation.
Submission requirements
- Send reports to admin@verirfp.com.
- Include attack path, impact scope, and reproducible steps.
- Provide proof-of-concept payloads only when needed to validate impact.
- Do not include customer secrets, personal data, or destructive payloads in email attachments.
Response cadence
- Acknowledgement: within 1 business day.
- Triage update: within 3 business days.
- Remediation ETA: shared after severity classification.
- Closure notice: sent when fix is deployed and validated.
Safe-reporting boundaries
- Test only assets you own or have explicit permission to assess.
- Do not disrupt service availability or access non-public customer data.
- Avoid social engineering and physical intrusion attempts.
- Respect security.txt disclosure details when coordinating reports.