Vornin
Start Free
Security policy

Security Policy & Responsible Disclosure

Updated · 2026.05.30 · Revision 1.0

1. We want to hear from you

We run a security company. We take reports seriously. If you believe you’ve found a vulnerability in Vornin — the app at app.vornin.com, the marketing site at vornin.com, or any related infrastructure — please tell us. We’d rather hear about it from you than read about it in the news.

2. How to report

Email security@vornin.com. Please include:

  • A clear description of the issue
  • Steps to reproduce
  • Potential impact
  • Your contact details so we can follow up

A PGP key for encrypted reports will be published here shortly. If you’d like encrypted exchange today, say so in an unencrypted mail and we’ll coordinate.

3. What we promise

  • Acknowledgement within 2 business days
  • Triage + initial assessment within 5 business days
  • Honest communication throughout the process, including if we decide not to fix
  • Credit on this page if you want it (we respect anonymity too)

4. Safe harbour

We will not pursue legal action for good-faith security research that:

  • Respects the privacy of our users — do not access, modify, or exfiltrate data that isn’t your own
  • Does not degrade service for other users (no DoS, no destructive automated scans)
  • Does not use social engineering, physical attacks, or target our staff or vendors
  • Gives us a reasonable window to fix before disclosing publicly

5. Out of scope

The following are not considered vulnerabilities:

  • Missing security headers on pages that don’t handle user data
  • Theoretical CSRF on logout endpoints
  • Self-XSS requiring user-pasted JavaScript
  • Reports generated purely by automated tooling without validation
  • Findings on third-party services we use (please report those to the vendor)

6. Bounties

We’re a small pre-revenue team. We don’t currently pay bug bounties. We will credit researchers publicly and privately thank you with whatever swag we can muster. We will revisit this as the business grows.

7. Machine-readable

This policy is also published as /.well-known/security.txt per RFC 9116.