Bug Bounty / Security Vulnerability Disclosure Policy

1. Purpose of This Policy

The Vexor Bug Bounty & Vulnerability Disclosure Program exists to support the discovery and responsible reporting of security vulnerabilities. Our core objectives are to:

• Strengthen platform resilience through collaborative security testing
• Protect users, creators, brands, and business partners
• Create structured, transparent reporting channels for ethical research
• Promote industry-leading security practices aligned with regulatory requirements
• Enable rapid remediation and continuous improvement of Vexor’s systems

2. Safe Harbor Protection (Legal Protection for Researchers)

Vexor supports good-faith security research and provides strong Safe Harbor assurances. Researchers who adhere to this policy will receive the following protections:

• No legal action for authorized testing performed within policy boundaries
• No suspension or banning of accounts used for testing
• Cooperative and respectful engagement from Vexor’s Security Team
• Eligibility for bug bounty rewards where applicable

Safe Harbor applies only if testing does not result in:

• Accessing, modifying, or downloading live user data
• Service disruption or degradation
• Use of aggressive or destructive exploitation methods
• Exceeding the minimum necessary steps to demonstrate impact

3. In-Scope Vulnerabilities (Eligible for Bounty Rewards)

The following categories of vulnerabilities are considered in scope for bounty evaluation:

• Account takeover and authentication bypass
• Session hijacking, fixation, or mismanagement
• Cross-Site Scripting (Reflected, Stored, DOM-based)
• SQL injection and database exploitation vectors
• Privilege escalation or unauthorized access
• Server-side code execution vulnerabilities
• API authorization bypass or insecure direct object references (IDOR)
• Misconfigurations affecting data confidentiality or integrity
• Exposure of sensitive metadata or PII leaks via endpoints
• Insecure storage of sensitive information
• Cross-tenant data access or isolation failures

4. Out-of-Scope Vulnerabilities (NOT Eligible for Rewards)

Some issues, while valuable to know about, do not qualify for bounty rewards due to low or negligible security impact.

• Spam or fake engagement reports without technical exploitation
• Reports lacking reproducible steps or impact evidence
• Phishing attempts not targeting Vexor-owned systems
• Missing security headers with no demonstrable impact
• Open redirects without associated exploitation scenario
• Rate-limit or brute-force attempts unless bypass results in damage
• Vulnerabilities requiring compromised user devices or networks
• Denial-of-service reports unless caused by a legitimate flaw
• Attacks on third-party systems not controlled by Vexor

5. Rules of Engagement (Testing Rules)

Security testing must follow strict ethical guidelines to ensure user safety and platform stability. Researchers MUST:

• Only test on accounts you own or control
• Limit testing to the minimum impact required for proof-of-concept
• Not interact with, expose, or acquire other users' data
• Avoid destructive testing, including DDoS, brute-force spam, or mass automation
• Immediately cease testing if sensitive data is encountered
• Report vulnerabilities promptly and privately

The following actions are strictly prohibited:

• Attempting to access admin panels or internal services without authorization
• Running large-scale automated scanning tools
• Disrupting platform stability or degrading service performance
• Using social engineering against Vexor employees or contractors

6. How to Submit a Vulnerability Report

Researchers should submit detailed findings through our official channels:

• Security Team: security@vexor.to
• Backup Security Contact: infosec@vexor.to

Reports must include:

• A detailed description of the vulnerability
• Exact steps for reproduction
• Proof-of-concept examples (screenshots, logs, or video)
• Potential impact assessment
• Browser, device, OS, or API environment details
• Test accounts or configurations used during research

7. Reward Structure

Vexor provides monetary or non-monetary rewards for validated, impactful vulnerabilities. Final reward amounts depend on:

• Severity classification (Critical, High, Medium, Low)
• Impact radius and exploitability
• Quality and clarity of report
• Uniqueness (duplicates receive reduced or no reward)

Estimated Reward Tiers (subject to revision at full production launch):

• Critical: $1,000 – $10,000+ (Account takeover, remote code execution, major data exposure)
• High: $500 – $2,500
• Medium: $200 – $750
• Low: $50 – $200

8. Our Response Timeline

Vexor aims to maintain transparent and predictable communication with researchers. Typical timelines include:

• Acknowledgment: Within 72 hours
• Initial Assessment: Within 7 business days
• Full Validation & Fix Plan: Within 14–30 business days
• Reward Decision: Issued after final verification

9. Public Disclosure Rules

To protect users and platform security, researchers must refrain from public disclosure until:

• The vulnerability has been fully patched, OR
• Vexor provides written authorization for early disclosure

Unauthorized disclosure may:

• Invalidate eligibility for rewards
• Result in suspension of Safe Harbor protections
• Trigger legal restrictions if disclosure creates user risk

10. Recognition & Hall of Fame

Vexor celebrates impactful contributions from the security community. Eligible researchers may be publicly recognized in the Vexor Security Hall of Fame and may receive written commendations upon request.

11. Contact Information

• Email (Primary Security): security@vexor.to
• Email (Backup Security): infosec@vexor.to
• General Support: support@vexor.to

12. Updates to This Policy

As cybersecurity landscapes evolve, Vexor may update this policy to incorporate new testing methodologies, regulatory changes, or program expansions. Updated versions will be published with version numbers and revision timestamps for transparency.