# Vulnerability Disclosure Program (VDP) Policy Welcome to the VulnServerLabs Vulnerability Disclosure Program. We appreciate your help in keeping our systems secure. Please read and follow the guidelines below when reporting issues. --- ## 1. Program Participation **To participate in our invitation-only program, you can request access by emailing [security@vulnserverlabs.com](mailto:security@vulnserverlabs.com). To join our private `vuln-reports` repo, in your email send your GitHub username and a short bio/affiliation. Invitation is for vetted researchers (e.g. Synack red teamers) as Triage collaborators on the our private `vuln-reports` repo. --- ## 2. Program Scope **In-scope:** - All `*.vulnserverlabs.com; *.vulnserverlabs.link; *.vulnserver.net` web applications & APIs - Internal admin portals and test environments **Out-of-scope:** - Third-party services we don’t control (e.g. AWS, GCP, AuthO, Stripe, and only test functional code) - Do not perform denial-of-Service testing. - Do not conduct physical attacks or social engineering. --- ## 3. Distinct Issue Enforcement **We require each vulnerability to be reported only once.** Before opening a new issue, please search the **issue tracker** for existing reports. Any duplicates submitted after the first valid report will be closed as “Duplicate” without further action. 1. Go to the Issues tab of the private repo: [https://github.com/VulnServerLabs/vuln-reports/issues](https://github.com/VulnServerLabs/vuln-reports/issues) 2. In the search box, you can: - Enter keywords from your finding (e.g. `sql injection`, `auth bypass`) - Use filters like `is:issue is:open` to limit to open reports - Combine with labels, e.g. `label:severity:high` Any reports submitted that match an existing open issue will be closed as **“Duplicate”** without further action. --- ## 4. PoC & Sensitive Detail Handling **For confidentiality, please submit your full proof-of-concept code, screenshots, or other sensitive artifacts via email to** 
security@vulnserverlabs.com
In the GitHub issue itself, include only: - A high-level description of the issue - Steps to reproduce (omit any secrets) - Non-sensitive logs or request samples Once we’ve triaged your submission, we may follow up by email for the full PoC. --- ## 5. Timestamped Credit (First-Finder) **All GitHub issues are timestamped.** We will honor the timestamp of the **first** valid submission to determine report priority. We do **not** offer monetary bounties; instead, researchers will be credited on our [Acknowledgments](./ACKNOWLEDGMENTS.md) page once an issue is remediated. --- ## 6. Regulatory & Privacy Considerations **Currently, VulnServerLabs is not subject to specific regulatory vulnerability-handling mandates.** If any legal or industry requirements (e.g., data-handling, third-party risk) arise, we will update this policy and our processes accordingly. --- ## 7. Process Workflow 1. **Onboard** - Invitation for vetted researchers (e.g. Synack red teamers) as **Triage** collaborators on the private `vuln-reports` repo. - Send an email [security@vulnserverlabs.com](mailto:security@vulnserverlabs.com) with your GitHub username and a short bio/affiliation. 2. **Submit an Issue** - Search for duplicates. - Open a new issue with the high-level description and reproduction steps. 3. **Email Full PoC** - Immediately email your full exploit code or sensitive attachments to [security@vulnserverlabs.com](mailto:security@vulnserverlabs.com). 4. **Triage & Acknowledgement** - We will acknowledge receipt within 72 hours. - Triage and severity assessment completed within 7 days. 5. **Remediation & Credit** - Track the fix in this issue. - Upon remediation, your name (or alias) will be added to our [Acknowledgments](./ACKNOWLEDGMENTS.md) page. 6. **Review & Update** - This policy will be reviewed at least annually, or whenever new regulatory requirements apply. --- *Thank you for helping us improve the security of VulnServer Labs.*