Vulnerability Disclosure Policy

VendorX is committed to the security of our platform and the data entrusted to us by our partners and their customers. We welcome and encourage security researchers to help us improve our security posture through responsible vulnerability disclosure.

Scope

This policy applies to vulnerabilities discovered in the following systems and services owned and operated by VendorX Platform, Inc.:

• ✓vendorxpro.com and all subdomains (*.vendorxpro.com)
• ✓VendorX Platform API (api.vendorxpro.com)
• ✓VendorX Platform web application
• ✓Mobile-responsive web interfaces served by VendorX

Out of Scope

The following are explicitly out of scope for this policy:

• ✓Third-party services and integrations (Stripe, ShipStation, Sentry, etc.)
• ✓Physical security of VendorX offices or data centers
• ✓Social engineering attacks against VendorX employees or partners
• ✓Denial-of-service (DoS/DDoS) attacks
• ✓Automated scanning that generates excessive traffic or degrades service availability
• ✓Vulnerabilities in software or systems not owned by VendorX

Safe Harbor

VendorX considers security research conducted in accordance with this policy to be authorized, and we will not pursue legal action against researchers who act in good faith. Specifically:

• ✓We will not pursue civil or criminal action against researchers who comply with this policy.
• ✓We consider activities conducted consistent with this policy to constitute "authorized conduct" under the Computer Fraud and Abuse Act (CFAA).
• ✓We waive any potential DMCA claim against researchers acting in good faith under this policy.
• ✓If legal action is initiated by a third party against a researcher for activities conducted in accordance with this policy, we will make this authorization known.

Researcher Guidelines

To qualify for safe harbor protections, researchers must:

1. 1.Only test against accounts you own or have explicit authorization to test.
2. 2.Do not access, modify, or delete data belonging to other users or tenants.
3. 3.Stop testing and report immediately if you encounter any user data that is not your own.
4. 4.Do not perform actions that could impact the availability or integrity of VendorX services.
5. 5.Do not publicly disclose vulnerability details before VendorX has had reasonable time to remediate.
6. 6.Provide sufficient detail in your report for VendorX to reproduce and verify the vulnerability.
7. 7.Act in good faith to avoid privacy violations, data destruction, and service disruption.

How to Report

Submit vulnerability reports via email to security@vendorxpro.com. Please include:

• ✓Description of the vulnerability and its potential impact
• ✓Step-by-step instructions to reproduce the issue
• ✓Affected URL(s), endpoint(s), or component(s)
• ✓Any proof-of-concept code or screenshots
• ✓Your preferred contact information for follow-up
• ✓If you need to share sensitive proof-of-concept material, contact security@vendorxpro.com to arrange an encrypted transfer channel

Response Commitments

VendorX commits to the following response timelines:

• ✓Acknowledgment: Within 2 business days of receipt
• ✓Triage & severity assessment: Within 5 business days
• ✓Critical severity (CVSS 9.0+): Remediation target within 7 calendar days
• ✓High severity (CVSS 7.0–8.9): Remediation target within 30 calendar days
• ✓Medium severity (CVSS 4.0–6.9): Remediation target within 90 calendar days
• ✓Low severity (CVSS 0.1–3.9): Remediation scheduled in regular release cycle

Coordinated Disclosure

VendorX follows a coordinated disclosure model. We request that researchers allow us 90 calendar days from the date of the initial report to remediate the vulnerability before any public disclosure. If we are unable to remediate within 90 days, we will work with the reporter to agree on a mutually acceptable disclosure timeline.

We will credit researchers who report valid vulnerabilities (with their permission) in our security acknowledgments unless they prefer to remain anonymous.

Non-Qualifying Vulnerabilities

The following issue types are generally not considered qualifying vulnerabilities under this policy:

• ✓Missing security headers that do not lead to a direct exploit
• ✓Clickjacking on pages with no sensitive actions
• ✓CSRF on forms with no security impact (e.g., logout)
• ✓Missing rate limiting on non-authentication endpoints
• ✓Information disclosure in HTTP headers (server version, etc.) without exploit path
• ✓SSL/TLS configuration issues without demonstrated exploit
• ✓Content spoofing or text injection without demonstrated impact
• ✓Vulnerabilities requiring physical access to a user's device