Responsible Disclosure
VeriProof is trust infrastructure for AI systems. Security is foundational to that mission — and we take vulnerability reports seriously. If you’ve discovered a security issue, we want to hear from you so we can fix it quickly and responsibly.
Report a vulnerability: security@veriproof.app
We aim to acknowledge every report within one business day and provide an initial assessment within three business days.
Scope
The following systems are within scope for responsible disclosure:
| Target | Scope |
|---|---|
api.veriproof.app (Ingest API) | In scope |
portal.veriproof.app (Customer Portal) | In scope |
staff.veriproof.app (Staff Portal) | In scope |
| VeriProof SDKs (Python, TypeScript, .NET) | In scope |
veriproof.app (marketing site / docs) | Limited scope — please describe clearly |
| Enterprise Federated deployments | Contact us before testing — see below |
| Third-party services (Azure, Solana) | Out of scope — report to the relevant vendor |
| Social engineering attacks against VeriProof staff | Out of scope |
If you’re unsure whether a specific target is in scope, reach out before proceeding. We’d rather you ask than accidentally exceed your authorisation.
What to Include in Your Report
A useful report gives us everything we need to reproduce and assess the issue:
- A clear description of the vulnerability and its potential impact
- The affected component or endpoint (URL, API path, SDK version)
- Step-by-step reproduction instructions, including any required account state
- Any proof-of-concept code, HTTP captures, or screenshots
- Your assessment of severity (we’ll do our own assessment, but yours is helpful)
- Whether you’ve disclosed or plan to disclose the issue elsewhere
Reports sent without reproduction steps are substantially harder to triage. If you’re uncertain about details, send what you have and we’ll work through it together.
Our Commitments
When you disclose a vulnerability responsibly:
- We’ll acknowledge your report within one business day
- We’ll keep you informed as we investigate and remediate
- We won’t take legal action against researchers acting in good faith within scope
- We’ll credit you in our release notes or security advisory (unless you prefer anonymity)
- We’ll notify you before we publish details of the vulnerability
We ask that you:
- Give us a reasonable time to fix the issue before any public disclosure
- Avoid accessing, modifying, or deleting data that doesn’t belong to you
- Don’t perform denial-of-service testing or automated scanning without prior coordination
- Don’t use vulnerabilities to pivot to out-of-scope systems
Severity & Response SLAs
We assess severity using a combination of CVSS scoring and business impact:
| Severity | Examples | Target fix time |
|---|---|---|
| Critical | Auth bypass, data leakage across tenants, blockchain record tampering | 24 hours |
| High | Privilege escalation within a tenant, cryptographic key exposure | 3 business days |
| Medium | Information disclosure, session fixation, CSRF | 10 business days |
| Low | Configuration weaknesses, non-exploitable findings | 30 business days |
These are targets, not guarantees. Complex architectural issues may require longer. We’ll let you know if a fix will take longer than the SLA and explain why.
Coordinated Disclosure
We follow coordinated disclosure. The standard timeline is 90 days from the date of our initial acknowledgement. If you need to disclose sooner — for example, because the issue is already actively exploited — please tell us and we’ll work to expedite remediation.
Once the fix is deployed, we’ll publish a security advisory and work with you on the timing and content of any public disclosure you’d like to make.
Enterprise Federated Deployments
If you’re a customer running an Enterprise Federated deployment in your own Azure subscription, the infrastructure within your subscription is your responsibility to test. However, the VeriProof Managed Application components — including the Notary service — fall under our responsible disclosure policy.
Contact us at security@veriproof.app before conducting any testing against Managed Application components in your environment.
CVE Assignment
For issues with broad impact, we’ll request a CVE through the relevant CNA (Certificate Numbering Authority). We’ll coordinate with you on the CVE description and acknowledgement.
PGP Encryption
If the nature of your report requires confidentiality before initial contact, you can request our PGP public key by emailing security@veriproof.app from a separate, non-sensitive address. We’ll respond with our public key.
Next Steps
- Review Penetration Testing if you’re planning formal security testing
- See Security FAQ for common questions about our security posture
- Read Encryption for details about how data is protected at rest