Vulnotes

Security

At Vulnotes, we take security seriously. We welcome and appreciate responsible security research to help us keep our platform and users safe.

Responsible Disclosure Policy

We encourage security researchers to help us identify vulnerabilities in our platform. If you believe you've found a security issue, we ask that you follow these guidelines:

What is allowed

  • Testing for vulnerabilities on your own account and data
  • Reporting vulnerabilities through our designated channel
  • Giving us reasonable time to address the issue before public disclosure
  • Acting in good faith to avoid privacy violations, data destruction, or service disruption

What is strictly prohibited

  • Accessing, modifying, or deleting other users' data: never interact with accounts or data that do not belong to you
  • Disrupting the platform's availability: do not perform denial-of-service (DoS/DDoS) attacks or actions that degrade performance for other users
  • Social engineering or phishing: do not target Vulnotes employees, contractors, or users
  • Automated scanning at scale: avoid aggressive automated testing that could impact service stability
  • Exfiltrating sensitive data: if you discover exposed data, report it immediately without copying or storing it
  • Public disclosure before resolution: allow us reasonable time (typically 30 days) to fix the issue before disclosing publicly
  • Exploiting vulnerabilities beyond proof of concept: demonstrate the issue without causing harm

Scope

The following are in scope for security testing:

  • *.vulnotes.com: main website and subdomains
  • your-workspace.vulnotes.app: your own SaaS instance only
  • Vulnotes API endpoints
  • Self-hosted Docker images (your own deployment)

The following are out of scope:

  • Third-party services and integrations
  • Physical security attacks
  • Social engineering attacks
  • Attacks requiring physical access to a user's device

How to Report a Vulnerability

If you've discovered a security vulnerability, please report it to us via email:

contact@vulnotes.com

Please include in your report:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

We will acknowledge receipt of your report within 48 hours and aim to provide an initial assessment within 7 days.

Recognition

While we do not currently offer a paid bug bounty program, we deeply appreciate the contributions of security researchers. As a token of our gratitude:

  • Valid reports will be acknowledged in our Hall of Fame below
  • We will credit you (with your permission) when we disclose fixed vulnerabilities
  • Researchers who follow our guidelines will not face legal action for their good-faith efforts

Hall of Fame

We thank the following security researchers for their responsible disclosure and contribution to making Vulnotes more secure.

No entries yet. Be the first to responsibly disclose a vulnerability and get recognized here.

Contact

For security-related inquiries, please contact us at:

Vulnotes Security Team

Email: contact@vulnotes.com