1. Our commitment
We take the security of our service seriously and welcome reports from customers, partners, and independent security researchers. This policy describes how to report a vulnerability, what to expect from us in return, and the protections we offer to good-faith researchers.
2. How to report
Send your report to security@vatidator.com.
Please include:
- Description of the issue and its potential impact
- Steps to reproduce, with the minimum information needed to demonstrate the issue
- Any supporting evidence, screenshots, request/response captures, sample tokens (please redact sensitive parts)
- Your contact details (so we can follow up) and, if applicable, your preferred public-credit name
If encrypted communication is required, please request it in your initial email. We will provide an appropriate secure channel where feasible.
3. Scope
In scope:
https://vatidator.comhttps://app.vatidator.com(if and when publicly available)- Vatidator-owned API endpoints explicitly listed in our public documentation
- Official Vatidator extensions for Microsoft Dynamics 365 Business Central (published on Microsoft AppSource when live)
- Official Vatidator extensions for Salesforce CRM (published on Salesforce AppExchange when live)
Subdomains or environments not explicitly listed above are out of scope unless we confirm otherwise in writing.
4. Testing rules
When testing for vulnerabilities in scope, please:
- Use your own account, tenant, or test environment whenever possible
- Use the minimum number of requests necessary to demonstrate the issue
- Stop immediately if you encounter customer data, and report the issue without persisting that data
- Do not persist access, create backdoors, or maintain unauthorized access
- Do not degrade service availability
- Do not publicly disclose vulnerability details until coordinated with us
To protect customers and service availability, please do not perform:
- Destructive testing of any kind
- Social engineering, phishing, or vishing attempts against Vatidator staff or customers
- Credential stuffing or brute-force attacks
- Spam, mass email, or notification abuse
- Malware upload, deployment, or persistence/backdoor attempts
- High-volume automated scanning without prior written permission
- Denial-of-service or resource-exhaustion testing
- Access, download, modification, or deletion of customer data
- Any action that could affect customers other than yourself
5. Out of scope
The following are out of scope for this policy:
- Third-party services we rely on (Microsoft Azure, Cloudflare, Microsoft AppSource, Salesforce AppExchange, official tax-authority registries). Report those to the respective providers.
- Issues in customer-controlled environments (your BC/SF tenant configuration, your network)
- Reports describing purely theoretical issues without a realistic attack scenario or material security impact may be deprioritized
- Known vulnerabilities in third-party libraries are in scope only where they are exploitable in Vatidator's deployed environment or materially affect customer data or service security
- Social engineering against Vatidator staff
- Physical security of any premises
- Denial-of-service via volumetric attack
6. Safe harbor
If you make a good-faith effort to comply with this policy, we will treat your research as authorized and do not intend to pursue legal action against you for the research activities covered by this policy.
This safe harbor does not apply to actions that:
- Harm customers or other third parties
- Disrupt our service
- Access, modify, or exfiltrate customer data beyond the minimum necessary to demonstrate the issue
- Target third-party systems
- Violate applicable law
- Go beyond what is reasonably necessary to identify and report a vulnerability
This policy does not authorize activity that is unlawful, targets third-party systems, or is unrelated to identifying and reporting a vulnerability in Vatidator systems.
If at any point you are uncertain whether your research is within scope or in good faith, please contact us at security@vatidator.com for clarification before proceeding.
7. What to expect from us
| Step | Our target |
|---|---|
| Acknowledge receipt of your report | Within 3 business days |
| Initial triage and severity assessment | Within 5 business days |
| Status update during remediation | At least every 14 days |
| Fix deployed for confirmed vulnerabilities | Severity-dependent, critical: as fast as possible; high: typically within 30 days; medium/low: typically within 90 days |
We will keep you informed of progress during remediation. We may credit you publicly (on our website or changelog) for valid reports if you wish, or treat your report as anonymous if you prefer.
8. Coordinated disclosure
We follow a coordinated disclosure model. We ask researchers not to publicly disclose vulnerability details until we have had a reasonable opportunity to investigate and remediate the issue.
As a general guideline, we aim to coordinate disclosure within 90 days of the initial report, or sooner if the issue is resolved earlier. Different timelines may be agreed depending on severity, customer impact, and remediation complexity.
If you believe disclosure is necessary before remediation is complete, please notify us at least 7 days in advance so we can reassess risk and coordinate next steps.
9. Recognition
We do not currently offer a paid bug bounty program. We may consider a paid bounty program in the future.
At our discretion, we may offer non-monetary recognition for valid reports, such as:
- Public credit on our website (with your permission)
- A direct line of communication with the engineering team
- Other appropriate acknowledgements
10. Contact
security@vatidator.com
For non-security questions, please use info@vatidator.com.
This policy is reviewed at least annually and updated to reflect our current security posture.