Vulnerability Disclosure Policy
Reporting a vulnerability
We welcome reports of security vulnerabilities. If you believe you have found a vulnerability in the Service, please report it to security@velirafinance.com with enough detail to reproduce and assess the issue. Please report promptly and give us a reasonable opportunity to remediate before any public disclosure.
Scope
In scope: the Velira application and its public endpoints operated by Velira Finance. Out of scope: third-party services and infrastructure we do not control (for example, data aggregators, hosting providers, or connected financial institutions), denial-of-service testing, social engineering, physical attacks, and anything that could harm users or their data. Velira Finance to finalize the precise scope.
Rules of engagement
When researching, please: act in good faith; only test against your own accounts and data; avoid accessing, modifying, or destroying data that is not yours; avoid privacy violations and service degradation; and do not exfiltrate data. Stop and report if you encounter sensitive data.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, will work with you to understand and resolve the issue quickly, and will not pursue or support legal action against you for that research. This safe harbor does not apply to activity that violates the law or harms users. If in doubt about whether a specific action is acceptable, contact us first at security@velirafinance.com.
Our commitments
We aim to acknowledge reports within a reasonable time, keep you informed of remediation progress, and credit researchers who wish to be recognized. We do not currently operate a paid bug-bounty program; any rewards are at our discretion.
Questions about this document? Contact us at hello@velirafinance.com.