Security & Responsible Disclosure

How to report vulnerabilities and our commitments to security researchers acting in good faith.

Effective Date: April 1, 2026

Overview

VigilChain takes the security of our platform and the data entrusted to us seriously. We welcome responsible disclosure from security researchers and the broader community. If you believe you have discovered a security vulnerability in any VigilChain system, we encourage you to tell us about it so we can address it promptly.

This policy describes what is in scope for security research, how to report findings, what we ask of researchers, and our safe harbor commitments to researchers who act in good faith.

Safe Harbor

VigilChain will not pursue civil or criminal action against security researchers who discover and report vulnerabilities in accordance with this policy. We consider security research conducted under this policy to be authorized activity and will not treat it as a violation of our Terms of Service.

Specifically, to the extent that your activities are consistent with this policy, we will:

  • Not initiate or recommend law enforcement action against you in connection with your research;
  • Not pursue civil claims against you related to your research;
  • Work with you to understand and remediate the vulnerability quickly;
  • Acknowledge your contribution if you wish, once the issue is resolved.

If legal action is initiated by a third party against you in connection with research conducted under this policy, we will take reasonable steps to make known that your activities were conducted in compliance with this policy.

Important: Safe harbor applies only to security research that complies with this policy. Activities that are clearly outside the scope of good-faith security research — such as accessing, exfiltrating, or destroying customer data; conducting denial-of-service attacks; or using vulnerabilities to attack other parties — are not covered.

Scope

The following systems are in scope for security research:

  • vigilchain.com — the marketing and informational website
  • app.vigilchain.com — the VigilChain platform application
  • api.vigilchain.com — the VigilChain API

The following are explicitly out of scope:

  • Denial-of-service attacks (DoS/DDoS) against any VigilChain infrastructure;
  • Physical security testing of VigilChain facilities;
  • Social engineering or phishing of VigilChain employees or customers;
  • Testing or accessing systems belonging to VigilChain customers or third parties;
  • Automated scanning that generates excessive load or disrupts service availability;
  • Vulnerabilities in third-party software where VigilChain is not the appropriate vendor to notify;
  • Reports based on CVE disclosures without evidence of exploitation in VigilChain systems.

How to Report

Please email your findings to security@vigilchain.com. We ask that you:

  • Provide a clear description of the vulnerability and its potential impact;
  • Include steps to reproduce the issue or a proof-of-concept — the clearer the reproduction case, the faster we can triage;
  • Share any relevant URLs, affected parameters, screenshots, or request/response captures;
  • Avoid accessing, modifying, or deleting data that does not belong to you;
  • Give us a reasonable amount of time to respond before disclosing the issue publicly.

If you believe the vulnerability is particularly sensitive, you may request our PGP key before submitting.

What to Expect

After you submit a report, you can expect the following:

  • Acknowledgment within 2 business days confirming we received your report;
  • Triage update within 7 business days with our assessment of severity and scope;
  • Regular updates as we work toward a fix, and notification when the issue is resolved;
  • Credit in our acknowledgments if you would like to be recognized (optional).

We handle all reports confidentially. We ask that you do not publicly disclose the vulnerability until we have had adequate time to investigate and remediate, and that you coordinate any disclosure timing with us.

Vulnerability Severity Framework

We assess reported vulnerabilities using CVSS v3.1 as a baseline, adjusted for deployment context. Critical and high severity findings are escalated immediately to our engineering team. All confirmed vulnerabilities receive a fix commitment with target remediation timelines communicated to the reporter.

Contact

For security vulnerability reports: security@vigilchain.com

For general security questions or inquiries unrelated to vulnerability disclosure, please use the same address.