Vulnerability disclosure¶
We build offensive-security software, so we hold ourselves to the same bar we ask of the systems we test. If you find a security issue in Vex Raptor itself, tell us and we will fix it.
How to report¶
Email [email protected] with:
- A description of the issue and its impact.
- Steps to reproduce (proof of concept, affected version, configuration).
- Your name/handle for credit, if you want it.
Encrypt if sensitive
Ask for our PGP key at the same address if you need to send sensitive details securely.
Our commitment¶
| Stage | Target |
|---|---|
| Acknowledge receipt | 2 business days |
| Triage & severity | 5 business days |
| Fix or mitigation plan | Based on severity, communicated on triage |
| Public advisory & credit | On fix release, in the release notes |
Scope¶
In scope: the Vex Raptor application, API, and official container images.
Out of scope: findings that require a compromised host or privileged local access, denial of service via unrealistic load, social engineering, and reports from automated scanners without a demonstrated impact.
Safe harbor¶
We will not pursue or support legal action against researchers who:
- Act in good faith and avoid privacy violations, data destruction, or service degradation.
- Only test against their own deployments.
- Give us reasonable time to remediate before public disclosure.
How we secure our own product¶
- The same confidence pipeline and scope-lock controls documented in the Security overview.
- Dependency scanning (
pip-audit) in CI on every merge; pinned dependencies. - A regression corpus that guards against false-positive drift in the engine.