Responsible Disclosure

Virovici LLC ("Virovici," "we," or "us") takes the security of our systems seriously. If you believe you have identified a vulnerability in any Virovici-operated system, we encourage you to report it to us before disclosing it publicly. We will investigate all credible reports and work to remediate confirmed issues in a reasonable timeframe.

The following systems are in scope for this policy:

• —virovici.com and all associated subdomains
• —Client-facing infrastructure directly operated and controlled by Virovici

If you are unsure whether a system falls within scope, err on the side of reporting and we will clarify.

The following are explicitly out of scope and must not be tested:

• —Social engineering of Virovici personnel or clients
• —Physical security attacks against Virovici or its clients
• —Denial-of-service or resource exhaustion attacks of any kind
• —Automated scanning without prior written authorization
• —Attacks against client systems that are not operated by Virovici
• —Vulnerabilities in third-party software or services that we do not control

Send your report to [email protected] with the subject line "Security Disclosure." Please include as much detail as you reasonably can:

• —A description of the vulnerability and its potential impact
• —Steps to reproduce, including relevant URLs, request/response examples, payloads, or screenshots
• —Your name or handle if you would like to be acknowledged (entirely optional)

We do not currently operate a paid bug bounty program. We do recognize good-faith researchers and will acknowledge your contribution publicly if you wish.

When you report a vulnerability in good faith under this policy, we commit to:

• —Acknowledging receipt of your report within three business days
• —Providing an initial assessment within ten business days
• —Keeping you reasonably informed of remediation progress
• —Not pursuing legal action against you for research conducted within the bounds of this policy
• —Treating your report and contact information as confidential

We ask that researchers:

• —Allow us reasonable time to investigate and remediate before any public disclosure
• —Avoid accessing, modifying, exfiltrating, or destroying data that does not belong to you
• —Limit testing to what is necessary to confirm the existence of a vulnerability
• —Not exploit the vulnerability beyond what is minimally necessary to demonstrate it

Security reports and general inquiries may be sent to [email protected].