Vulnerability Disclosure Policy

Veza invites you to help the company bolster its existing security measures and adapt to new cyber threats. The security and privacy of clients' confidential information are of the utmost importance to us. We take our responsibility of protecting this information seriously. We use technical, administrative, and physical controls to safeguard this data.

We want to hear from security researchers who have information related to suspected security vulnerabilities on any of Veza’s products or services. We value your work and are committed to working with you. Please report vulnerabilities to us in accordance with this Responsible Disclosure Program.

Thank you in advance for your contribution.

Please send us vulnerabilities you identify. If you discover personally identifiable information (PII) while exploring a suspected security vulnerability, we ask that you cease your investigation and report the vulnerability that led to such discovery immediately.

The report should include sufficient information for us to validate and reproduce the issue, including:

• The service affected, such as the URL or product version.
• A detailed description of the vulnerability.
• A description of how the vulnerability was discovered (including tools that were used) or what steps you were taking when you encountered the vulnerability.
• A description of the impact of the vulnerability and likely attack scenario.
• Proof of concept (PoC) code, if applicable; alternatively, please supply instructions demonstrating how the vulnerability might be exploited.
• A suggested patch or remediation action if you are aware of how to fix the vulnerability.

If you identify a vulnerability in accordance with this program, Veza commits to working with you to understand, validate and address the vulnerability appropriately per the assessed risk.

By submitting your report to Veza:

• You agree not to publicly disclose the vulnerability until Veza agrees to a public disclosure.
• You agree to keep all communication with Veza confidential.
• You represent the report is original to you and that if you submit a third-party report, you represent that you have the permission to do so.
• You allow Veza and its subsidiaries the unconditional ability to use, distribute or disclose information provided in your report.
• You agree that Veza, in its sole determination, may reward or recognize reports made in accordance with this Responsible Disclosure Program.

Our Expectations Regarding Your Discovery and the Process

If you are considering submitting a vulnerability report, your values clearly align with those of Veza. You know how critical security is and you want to protect sensitive information. Understanding this shared perspective, we do not want you to take on or create unnecessary risk to discover a vulnerability. While we support acts taken in good faith to discover and report vulnerabilities, we expressly prohibit any of the following conduct:

• Taking any action that will negatively affect Veza, its subsidiaries or agents.
• Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
• Disclosing any personally identifiable information discovered to any third party.
• Destruction or corruption of data, information, or infrastructure, including any attempt to do so.
• Discovery using social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for Veza).
• Any exploitation actions, including accessing or attempting to access Veza data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
• Attacks on third-party services.
• Denial of Service attacks or Distributed Denial of Services attacks.
• Any attempt to gain physical access to Veza property.
• Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability.
• Violation of any laws or agreements while discovering or reporting any vulnerability.

Out of Scope Vulnerabilities

The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:

• Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
• Third-party applications, websites or services that integrate with or link to Veza.
• Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.

Veza reserves all its rights, especially regarding vulnerability discoveries that are not in compliance with this program. Vulnerability investigations and discoveries made or reported in compliance with this program are considered compliant with Veza’s online Terms of Use.