Saltar a contenido

Vulnerability disclosure

We build offensive-security software, so we hold ourselves to the same bar we ask of the systems we test. If you find a security issue in Vex Raptor itself, tell us and we will fix it.

How to report

Email [email protected] with:

  • A description of the issue and its impact.
  • Steps to reproduce (proof of concept, affected version, configuration).
  • Your name/handle for credit, if you want it.

Encrypt if sensitive

Ask for our PGP key at the same address if you need to send sensitive details securely.

Our commitment

Stage Target
Acknowledge receipt 2 business days
Triage & severity 5 business days
Fix or mitigation plan Based on severity, communicated on triage
Public advisory & credit On fix release, in the release notes

Scope

In scope: the Vex Raptor application, API, and official container images.

Out of scope: findings that require a compromised host or privileged local access, denial of service via unrealistic load, social engineering, and reports from automated scanners without a demonstrated impact.

Safe harbor

We will not pursue or support legal action against researchers who:

  • Act in good faith and avoid privacy violations, data destruction, or service degradation.
  • Only test against their own deployments.
  • Give us reasonable time to remediate before public disclosure.

How we secure our own product

  • The same confidence pipeline and scope-lock controls documented in the Security overview.
  • Dependency scanning (pip-audit) in CI on every merge; pinned dependencies.
  • A regression corpus that guards against false-positive drift in the engine.