Document the issue
Capture the affected page, endpoint, account role, browser, timestamps, and the exact behavior you observed.
If you believe you found a vulnerability, suspicious behavior, or unsafe access pattern in Velrin, send a clear report so we can review it safely without disrupting production or exposing user data.
Numbered actions, affected URL, role, and environment.
What data, permission, workflow, account, or user action may be affected.
Screenshots, request IDs, timestamps, logs, or console errors.
Coordinate with Velrin before any public disclosure.
A strong report helps us reproduce the issue safely, understand the user or workspace impact, and identify the right remediation path.
Capture the affected page, endpoint, account role, browser, timestamps, and the exact behavior you observed.
Describe what someone could access, change, bypass, or disrupt if the issue were exploited.
Provide screenshots, redacted requests, console errors, or logs without exposing secrets or unrelated user data.
Give us time to triage, fix, and validate before discussing the issue publicly.
Security testing must be limited, targeted, and non-destructive. Test only against accounts, workspaces, and data you own or are explicitly authorized to use.
We use a clear intake path so reports stay structured, accountable, and reviewable from receipt through resolution.
We confirm receipt and ask for clarifying details if the report needs more context.
We reproduce the issue, assess severity, and identify the affected product area.
We prepare and validate the fix in a controlled way before release.
We confirm the vulnerability is resolved and close the report with final notes.
You do not need to use this format exactly, but these fields help us move faster and avoid back-and-forth.
Subject: Security Report — Velrin
Summary:
Affected page or feature:
Account role used:
Steps to reproduce:
Expected result:
Actual result:
Potential impact:
Safe evidence:
Suggested remediation, if any:
Disclosure coordination notes:
Note: Velrin does not currently operate a public bug bounty program unless a separate written agreement says otherwise.
Send your report to security@velrin.com with enough detail to review safely. For general product, billing, or access questions, use the contact page instead.