Vertex Vulnerability Disclosure Policy

Updated: 2022-01-03


The Vertex Project (Vertex) is committed to ensuring the security of our open-source and commercial products. As such, we highly value the contributions of security researchers to that process and would like to encourage and support vulnerability research efforts. While each vulnerability is different, this policy is intended to provide initial guidance on how to send us vulnerability reports and what you can expect from us.

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

Guidelines and Scope

Vertex considers all of our products as valid vulnerability research targets. However, researchers are expected to use caution and good judgement when testing Synapse Power-Ups which provide mechanisms for calling 3rd party APIs. Any costs incurred or policy violations of 3rd party terms of service are the responsibility of the individual researcher. Additionally, research against any on-prem customer or 3rd party deployments of Vertex products is expressly forbidden under the scope of this policy.

Provided you make a good faith effort to avoid triggering resource exhaustion or denial-of-service conditions, Vertex may be willing to provision a demo instance for use in your security research.

Forbidden Testing Methods

Denial-of-service against Vertex hosted infrastructure, besides being decidedly un-cool, is forbidden by the scope of this policy. We also do not authorize physical, social engineering, or any other non-technical vulnerability testing.

Reporting a Vulnerability

We accept vulnerability reports via our Contact Us form or email to Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

What we would love to see in a vulnerability report

A clear and detailed description of the steps needed to reproduce the vulnerability. Ideally, a proof-of-concept script or screenshots would be great. Please include any non-default configuration changes or example data required where possible.

What to expect from us

We will acknowledge receipt of your vulnerability disclosure within 3 business days. After that, we will triage the vulnerability and coordinate with you about the timelines for us to deploy fixes and/or issue a public statement. We are happy to provide public acknowledgement in our changelog for the version which addresses the issue :)


Do you offer bug bounties?

No, we don't currently offer any bug bounties.