Vulnerability Disclosure Policy

💰

Rewards Program

VendorPM Bounty Program offers competitive rewards for security vulnerabilities that meet our criteria:

• Direct security impact falling under our vulnerability categories
• Rewards credited via PayPal invoices
• Fixed bounty amounts based on severity

✅

Eligibility Requirements

• Be the first to report the vulnerability to security@vendorpm.com
• Must pertain to an explicitly listed vulnerability category
• Include sufficient proof of concept (screenshot, video, or code snippet)
• Participate in testing the applied countermeasure
• Maintain confidentiality of all VendorPM communications

🛡️

Vulnerability Categories

📋

Program Rules

• Respect user privacy - don't access, destroy, or disrupt other users' data
• Allow reasonable response time - avoid excessive status update requests
• Only target your own test accounts during vulnerability research
• Physical security and social engineering attacks are strictly prohibited

⚖️

Terms & Conditions

❌

Out of Scope

The following findings are not eligible for rewards:

• Zero-day CVEs (less than 90 days since patch release)
• Service fingerprinting or banner disclosure
• Public file/directory disclosure (robots.txt, etc.)
• Clickjacking/TapJacking vulnerabilities
• Social engineering attempts
• Missing security headers
• Email configuration issues (SPF/DMARC/DKIM)
• Rate limiting or spam issues
• SSL/TLS configuration weaknesses
• Non-application layer DoS/DDoS
• Missing cookie attributes
• CSRF on public forms
• Logout CSRF
• Autocomplete/password save functionality
• Non-sensitive error messages
• Jailbroken/rooted device requirements
• Automated scanner reports
• EXIF metadata disclosure
• Open ports without impact demonstration
• Content injection/spoofing
• CORS misconfigurations without impact