Vintecc Responsible Disclosure Policy

1. Introduction

At Vintecc, we are committed to maintaining the security, confidentiality, integrity, and availability of our systems, services, and customer data. We value the contributions of security researchers and users who take the time to report vulnerabilities responsibly.

This policy explains how to report potential security issues to us, the rules of engagement for testing, and what you can expect from us in return.

Standards alignment: This policy supports our Information Security Management System

(ISMS) and aligns with:

  • ISO/IEC 27001:2022, Annex A.8.8 — Management of Technical Vulnerabilities
  • ISO/IEC 29147:2018 — Vulnerability Disclosure

2. Purpose

The purpose of this policy is to provide a clear and secure process for reporting potential vulnerabilities to Vintecc, ensuring timely assessment, prioritization, and remediation in line with risk and business impact.

3. Scope

This policy applies to:

  • All Vintecc-operated information systems, applications, APIs, cloud services, and connected devices.
  • All environments under Vintecc’s direct control.

Excluded: Third-party applications or systems not directly administered by Vintecc.

4. Reporting a Vulnerability

Email: security@vintecc.com

Include in your report:

  • A clear description of the vulnerability.
  • Steps to reproduce the issue, including relevant URLs, parameters, and any supporting code or screenshots.
  • Your contact information so we can follow up with you (pseudonymous submissions are also accepted).

5. What can you expect from Vintecc

When you submit a good-faith vulnerability report:

  • Acknowledgement within 5 business days.
  • Risk-based assessment and prioritization using methods such as CVSS scoring.
  • Keep you informed about the assessment and remediation process.
  • Legal protection: If you comply with this policy during your research, we will not pursue legal action against you or request law enforcement involvement under applicable computer misuse laws.
  • Recognition (if desired) in public release notes after resolution.
  • For confirmed High or Critical severity issues, we offer a token of appreciation (e.g., Company branded merchandise).

6. Rules of engagement

To ensure the safety of our services and customers, we ask you to:

  • Perform testing in a way that avoids service disruption or data loss.
  • Access only your own account or data you have explicit permission to access.
  • Avoid social engineering, phishing, spam, or physical intrusion attempts.
  • Do not exfiltrate or alter any data beyond what is technically required to demonstrate the vulnerability

7. Disclosure timeline

We aim to handle discovered vulnerabilities promptly, based on their severity and potential business impact, while providing timely feedback to reporters.

Initial assessment and validation:

  • We will perform a preliminary validation of the reported vulnerability and assess its potential severity within 5 business days of receipt.
  • If additional details are required to reproduce the issue, we will contact you quickly to avoid delays.

Target remediation timelines after validation:

Severity

Typical Target

Critical

High fix or mitigation within 10 business days*

Medium

Fix within 60 days

Low

Addressed as part of normal maintenance

* Timelines may be extended for complex fixes, required dependency updates, or coordinated releases.

Note: The mentioned remediation timelines above only apply to disclosed vulnerabilities as part of this policy. For other internally or automatically detected vulnerabilities other timelines may apply.

8. Disclosure Coordination

We request coordinated disclosure:

  • Please wait to disclose publicly until we have addressed the issue or we agree on an alternate disclosure date.
  • For complex issues, disclosure timelines may be extended by mutual agreement to ensure adequate remediation.

9. Out of Scope

The following are not considered in scope:

  • Denial of Service (DoS/DDoS) or resource exhaustion attacks.
  • Automated scanning without proof of exploitability.
  • Vulnerabilities in third-party systems not operated by Vintecc.
  • Spam or social engineering campaigns.
  • Physical attacks on facilities or infrastructure.

10. Privacy and Data Handling

All reports and associated personal data will be processed in accordance with GDPR requirements and used solely for vulnerability coordination purposes.

Thank you for helping us keep Vintecc secure!