Vulnerability Disclosure

Found something? Tell us.

Effective 9 June 2026 · Last updated 9 June 2026

We welcome good-faith security research on vertodigital.com. If you find a vulnerability, this page tells you how to report it and what to expect from us in return.

01Scope

Scope

The following are in scope for vulnerability reports:

  • vertodigital.com — all pages and endpoints on the main domain.
  • mcp.vertodigital.com — the MCP API endpoint.

The following are out of scope:

  • Third-party services we use — Google, LinkedIn, HubSpot, Cloudflare, Stripe.
  • Client systems and infrastructure we manage on behalf of clients.
  • Missing security headers on third-party scripts loaded by our pages.
  • Rate limiting on non-sensitive public endpoints.
  • Social engineering attacks targeting our team.
  • Theoretical vulnerabilities with no demonstrated impact.

02How to report

How to report

Email [email protected]. A useful report includes:

  • A description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce it.
  • Screenshots, URLs, or proof-of-concept code where relevant.
  • Your name or alias — anonymous reports are welcome.

The more detail you provide, the faster we can act. You don't need to have a complete exploit — if you've found something that looks off, send it through and we'll investigate.

03What we commit to

What we commit to

  • Acknowledgement within 48 hours — we'll confirm receipt on the next business day, two at most.
  • Resolution target of 30 days for critical issues — we'll keep you updated on progress and let you know if we need more time.
  • Safe harbour — we will not pursue legal action against researchers who act in good faith under this policy.
  • Credit — if you'd like to be acknowledged for your find, we'll credit you when we disclose or document the fix.
  • No surprises — we'll tell you when the issue is fixed and coordinate any public disclosure with you.

04Good faith guidelines

Good faith guidelines

To keep this a safe harbour for both sides, we ask that you:

  • Give us reasonable time to resolve the issue before any public disclosure.
  • Avoid accessing, modifying, or deleting data that isn't yours.
  • Do not run automated scanners or denial-of-service tests against our infrastructure.
  • Do not use findings to access client data or third-party systems.

Research that stays within these boundaries qualifies for safe harbour. If you're unsure whether something you're doing is in scope, email us first — we'd rather answer the question than have you hold back a real find.

For any question about this policy: [email protected].