vcita Inc. Including its affiliates (“vcita”) is committed to providing a secure and reliable platform and services for our users. We recognize the valuable role security researchers play in identifying vulnerabilities and improving our security posture. This Vulnerability disclosure Policy (“Policy”) outlines our guidelines for responsible vulnerability reporting by the security community.

Scope and Exclusions

This Policy applies to all vulnerabilities affecting our platform, services and websites and related infrastructure. This includes, but is not limited to:

• Web applications
• APIs
• Mobile apps
• Backend infrastructure
• Security systems

The following are excluded from this Policy:
• Denial-of-service (DoS) attacks
• Social engineering attacks
• Phishing attacks
• Physical security vulnerabilities
• Vulnerabilities publicly known or documented (except for zero-day exploits)
• Vulnerabilities reported through other channels (unless explicitly authorized)

Do not attempt to gain access to another user’s account or data.

Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.

Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Do not: exploit vulnerabilities for personal gain, access or modify user data, or disrupt our services.

Eligible Targets

• www.vcita.com
• app.vcita.com
• live.vcita.com
• intandem.vcita.com
• www.intandem.io

Rewards

We offer rewards for eligible vulnerabilities based on their severity and potential impact. Rewards will be determined at our sole discretion, considering factors such as:

• Severity: Critical, High, Medium, Low
• Impact: Data exposure, system takeover, financial loss, etc.
• Originality: Zero-day versus known vulnerabilities
• Quality of report: Clarity, detail, proof of concept
• Responsiveness: Timeliness of report

If we find you eligible for a monetary award, in order to get paid, you may need to (a) provide us with additional verification and tax information; (b) fulfill various eligibility requirements; and (c) agree to additional terms and conditions with a third party payment processor. Taxes on monetary rewards paid to you are your sole responsibility.

Monetary rewards which remain unclaimed or undeliverable for a period of six (6) months will be forfeited.

The minimum reward amount for a validated bug submission is US$50 and the maximum reward for a validated bug submission is US$500. All determinations as to the amount of a reward made are final and are subject to signing a waiver.

Communication and Disclosure

• We will acknowledge your report within 10 to 14 days and keep you updated on the progress of our investigation.
• We will work with you to responsibly disclose the vulnerability, with consideration for our users and the public.

Legal Terms

• By submitting a report, you agree to this Policy our Privacy Policy and our Terms of Service.
• We reserve the right to exclude you from the program for violating our Policy or engaging in malicious activities.

Intellectual Property; Ownership of Results

You hereby represent that you have obtained the necessary approvals and consents from all third parties including your employer for the purpose of participating as a researcher.

You hereby agree and warrant that you will disclose all of the information about vulnerabilities discovered, covered, found, observed or identified by you (“Results”) to vcita. Furthermore, you hereby assign to vcita and agree to assign to vcita any and all of your Results and rights thereto. To the extent any rights in your Results are not assignable, you shall grant and agree to grant to vcita under any and all such rights an irrevocable, paid-up, royalty free, perpetual, exclusive, sub-licensable (directly or indirectly through multiple tiers), transferable, and worldwide license to use and permit others to use such Results in any manner desired by us (and/or our customers and partners) without restriction or accounting to you, including, without limitation, the right to make, have made, sell, offer for sale, use, rent, lease, import, copy, prepare derivative works, publicly display, publicly perform, and distribute all or any part of such Results and modifications and combinations thereof and to sublicense (directly or indirectly through multiple tiers) or transfer any and all such rights. Further, you shall waive and agree to waive in favour of vcita any moral right or other right or claim that is contrary to the intent of a complete transfer of rights to vcita in your Results.

Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, information regarding our services, platform or website, information regarding our security program , transactions, pricing information, business information, fees and amounts paid to you or others and existence of and terms of private vcita security programs. ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF VCITA. This means no submissions may be publicly disclosed at any time unless vcita has otherwise consented to disclosure.

You agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by vcita; (ii) protect such Confidential Information in no less than reasonable care; (iii) not use vcita’s party’s Confidential Information for any purpose other than as permitted by vcita; and (iv) immediately notify vcita upon discovery of any loss or unauthorized disclosure of any Confidential Information.