Responsible disclosure

Report a security concern safely.

If you believe you found a vulnerability, suspicious behavior, or unsafe access pattern in Velrin, send a clear report so we can review it safely without disrupting production or exposing user data.

Security intake

What helps us review faster?

01
Reproducible steps

Numbered actions, affected URL, role, and environment.

02
Impact explanation

What data, permission, workflow, account, or user action may be affected.

03
Evidence

Screenshots, request IDs, timestamps, logs, or console errors.

04
Safe coordination

Coordinate with Velrin before any public disclosure.

Primary contact: security@velrin.com
Reporting guide

Send the details that make the report actionable.

A strong report helps us reproduce the issue safely, understand the user or workspace impact, and identify the right remediation path.

01

Document the issue

Capture the affected page, endpoint, account role, browser, timestamps, and the exact behavior you observed.

02

Explain the risk

Describe what someone could access, change, bypass, or disrupt if the issue were exploited.

03

Include safe evidence

Provide screenshots, redacted requests, console errors, or logs without exposing secrets or unrelated user data.

04

Coordinate disclosure

Give us time to triage, fix, and validate before discussing the issue publicly.

Safe testing boundaries

Help protect Velrin without disrupting operations.

Security testing must be limited, targeted, and non-destructive. Test only against accounts, workspaces, and data you own or are explicitly authorized to use.

In scope for reporting

  • Authentication and authorization weaknesses
  • Privilege escalation or role bypass
  • Data exposure affecting confidentiality
  • Unsafe input handling or injection risks
  • Session, access, or workflow control issues

Out of scope / unsafe testing

  • Denial-of-service, stress, or load testing
  • Social engineering, phishing, or impersonation
  • Accessing or changing another user’s data
  • Destructive testing or data deletion
  • Public disclosure before remediation is complete
Response process

What happens after you report?

We use a clear intake path so reports stay structured, accountable, and reviewable from receipt through resolution.

01

Acknowledge

We confirm receipt and ask for clarifying details if the report needs more context.

02

Triage

We reproduce the issue, assess severity, and identify the affected product area.

03

Remediate

We prepare and validate the fix in a controlled way before release.

04

Verify

We confirm the vulnerability is resolved and close the report with final notes.

Suggested report format

Use a clean structure in your email.

You do not need to use this format exactly, but these fields help us move faster and avoid back-and-forth.

Subject: Security Report — Velrin

Summary:
Affected page or feature:
Account role used:
Steps to reproduce:
Expected result:
Actual result:
Potential impact:
Safe evidence:
Suggested remediation, if any:
Disclosure coordination notes:

Note: Velrin does not currently operate a public bug bounty program unless a separate written agreement says otherwise.

Security contact

Ready to submit a report?

Send your report to security@velrin.com with enough detail to review safely. For general product, billing, or access questions, use the contact page instead.