Skip to main content
Primary Logo

Vulnerability Disclosure Policy

Effective Date: 8 May 2026 · Version 1.0

Vyete Technologies Ltd ("Vyete") values the security research community and welcomes responsible disclosure of security vulnerabilities in our platform and services. This Policy sets out how to report vulnerabilities, what we commit to in return, and the rules of engagement for authorised security research.

1. Our Commitment

Vyete is committed to working with the security research community to identify and resolve security vulnerabilities in a responsible and timely manner. We believe that transparent, collaborative engagement with researchers makes our platform safer for all participants.

2. Scope

2.1 In-Scope Systems

The following systems and services are in scope for this programme:

| Asset | Description | |---|---| | vyete.com | Main web application (all subdomains unless excluded below) | | api.vyete.com | Public API endpoints | | shop.vyete.com | Shop operator dashboard | | ferry.vyete.com | Courier application web interface | | Vyete iOS app | Latest version on the App Store | | Vyete Android app | Latest version on Google Play | | Vyete Courier iOS and Android apps | Latest versions |

2.2 Out-of-Scope Systems

The following are explicitly out of scope. Testing against these systems is not permitted:

  • Third-party services and integrations (payment processors, cloud infrastructure, DNS providers).
  • status.vyete.com (read-only status page).
  • Systems operated by shops, brands, or couriers — these are independent entities.
  • Physical security of Vyete offices and data centres.
  • Social engineering attacks against Vyete employees or contractors.
  • Any system not owned or operated by Vyete.

3. Vulnerability Categories of Interest

Vyete is particularly interested in vulnerabilities that could:

  • Allow unauthorised access to user, shop, or courier accounts.
  • Expose personal data of platform participants.
  • Allow manipulation of financial transactions or payout calculations.
  • Permit privilege escalation within the platform.
  • Allow injection of malicious code that affects other users.
  • Bypass authentication or authorisation controls.
  • Allow mass enumeration of user or transaction data.

4. How to Report

4.1 Submission

Submit your report to [email protected]. Please encrypt sensitive reports using Vyete's PGP public key, available at vyete.com/security/pgp.

Include in your report:

  • A clear description of the vulnerability and its potential impact.
  • The affected system, endpoint, or component.
  • Step-by-step reproduction instructions.
  • Proof-of-concept code or screenshots (where safe to include).
  • Your contact details (optional, but required for acknowledgement and updates).

4.2 Report Quality

Higher-quality reports receive faster responses. A good report clearly demonstrates the vulnerability, its root cause, and the realistic worst-case impact. You do not need to provide a fix — assessment of fix options is Vyete's responsibility.

5. What We Commit To

In response to a good-faith vulnerability report:

| Commitment | Timeframe | |---|---| | Acknowledgement of receipt | Within 2 business days | | Initial triage and severity assessment | Within 5 business days | | Regular status updates | At least every 14 days during active investigation | | Resolution of critical/high severity issues | Within 30 calendar days | | Resolution of medium severity issues | Within 90 calendar days | | Public disclosure coordination | After fix is deployed; typically 90 days from report |

We will work collaboratively with researchers on disclosure timing and will credit reporters in our security acknowledgements unless anonymity is requested.

6. Rules of Engagement

To qualify for protection under this Policy and to be eligible for recognition or reward, researchers must:

  • Not access data beyond what is necessary to demonstrate the vulnerability. Accessing, downloading, or storing personal data of real users is prohibited.
  • Not disrupt platform availability — no denial of service testing, load testing, or actions likely to degrade the platform for legitimate users.
  • Not exploit a vulnerability beyond the minimum necessary to confirm it exists. Stop at proof of concept.
  • Not use the vulnerability to access, modify, or delete data you are not authorised to access.
  • Not conduct social engineering against Vyete employees, users, or contractors.
  • Not conduct physical attacks against Vyete infrastructure or personnel.
  • Maintain confidentiality of your findings until Vyete has confirmed the fix is deployed or 90 days have elapsed, whichever is sooner.
  • Not disclose to third parties (including other security researchers) without Vyete's consent.

Compliance with these rules is required for safe harbour to apply.

7. Safe Harbour

Vyete will not initiate legal action against researchers who:

  • Discover and report vulnerabilities in good faith in accordance with this Policy.
  • Comply with the Rules of Engagement in Section 6.
  • Act in a manner consistent with applicable law and this Policy.

This safe harbour is extended to protect researchers from legal claims for activities that would otherwise potentially expose them to liability (e.g., incidental access to systems) provided those activities are clearly incidental to good-faith vulnerability discovery and disclosure.

Vyete does not authorise testing on third-party systems, and safe harbour does not apply to claims by third parties.

8. Recognition and Rewards

8.1 Hall of Fame

Researchers who disclose valid, previously unknown vulnerabilities in good faith are credited in Vyete's Security Hall of Fame at vyete.com/security/acknowledgements (unless anonymity is requested).

8.2 Bug Bounty

Vyete operates a bug bounty programme for qualifying vulnerabilities. Rewards are assessed based on severity (CVSS score), impact, and report quality:

| Severity | Indicative Reward | |---|---| | Critical (CVSS 9.0–10.0) | Published in programme terms | | High (CVSS 7.0–8.9) | Published in programme terms | | Medium (CVSS 4.0–6.9) | Published in programme terms | | Low (CVSS < 4.0) | Hall of Fame recognition; no financial reward |

Reward amounts are published at vyete.com/security/bug-bounty. Vyete reserves the right to adjust rewards based on the actual impact of a finding. Duplicate reports (a vulnerability already reported by another researcher) are not eligible for a reward; the first reporter receives credit.

9. Out-of-Scope Findings

The following categories of finding are out of scope and will not be rewarded, though reports are still welcomed:

  • SSL/TLS configuration issues on non-primary endpoints.
  • Missing HTTP security headers with negligible security impact.
  • Theoretical vulnerabilities without demonstrated exploitability.
  • Vulnerabilities in out-of-scope systems (see Section 2.2).
  • Self-XSS requiring the victim to be the attacker.
  • Clickjacking on non-sensitive pages.
  • CSRF on logout endpoints.
  • Reports generated solely by automated scanning tools without manual validation.

10. Contact

Security vulnerability reports: [email protected] (PGP key at vyete.com/security/pgp)

General security enquiries: [email protected]

Bug bounty programme: vyete.com/security/bug-bounty