Security & Responsible Disclosure
Vin-G takes the security of our platform seriously. We welcome reports from security researchers who discover vulnerabilities in good faith.
1. Scope
This policy covers all Vin-G systems accessible at vin-g.com and its subdomains.
2. In Scope
- Authentication bypass or privilege escalation
- Injection vulnerabilities (SQL, command, LDAP, etc.)
- Cross-Site Scripting (XSS) with meaningful impact
- Insecure direct object references (IDOR) exposing other users' data
- Sensitive data exposure (PII, credentials, financial data)
- Server-Side Request Forgery (SSRF)
3. Out of Scope
- Denial of Service (DoS/DDoS) attacks
- Social engineering or phishing of Vin-G staff
- Vulnerabilities in third-party services we use (report to them directly)
4. Safe Harbour
Vin-G will not pursue legal action against researchers who act in good faith, follow this policy, and do not access, modify, or delete data belonging to other users.
5. Reporting
Email security@vin-g.com with a description of the vulnerability, steps to reproduce, and your assessment of impact.
6. Response SLA
| Action | Target timeline |
|---|---|
| Acknowledge receipt | 2 business days |
| Status update | 7 business days |
| Resolution for critical issues | 30 days |
| Resolution for non-critical issues | 90 days |