Vulnerability Disclosure Program (VDP)
Aspida Labs welcomes responsible security research and coordinated vulnerability disclosure. This page describes our public‑facing VDP policy (no cash bounties) and provides guidance for submitting reports. It is not legal advice; please consult your own counsel before participating.
1 Program Overview
We operate a recognition‑only Vulnerability Disclosure Program (VDP) on the Bugcrowd platform. Our goal is to provide a safe, structured channel for reporting security issues, improve our resilience and build trust with the security community. There are no monetary bounties; instead we offer non‑monetary recognition for eligible findings.
Program type: Vulnerability Disclosure Program (VDP), recognition‑only (no monetary bounties).
Goal: Provide a safe, structured channel for reporting security issues, improve resilience, and build trust with the security community.
Platform: Bugcrowd (public VDP page, researcher submission portal and optional triage services).
Primary contact: info@aspidalabs.com
2 Public Policy (for Researchers)
2.1 Scope (In & Out)
The following table lists assets that are in‑scope for this program. If your testing involves something not listed here, please ask before proceeding.
| ID | Asset/Domain | Environment | Authentication | Notes |
|---|---|---|---|---|
| A1 | *.aspidalabs.com/* |
Production | N/A | Primary web app |
Explicitly out of scope
- Denial‑of‑Service (DoS), DDoS or volumetric traffic spikes.
- Automated scanning that degrades service availability.
- Social engineering or phishing of Aspida Labs staff, customers or partners.
- Physical security, office networks or hardware tampering.
- Vulnerabilities requiring device jailbreak or rooted environments beyond normal usage.
- Attacks on third‑party platforms or providers not owned or operated by Aspida Labs.
- Password reuse attacks using credential dumps; spam; brute‑force with excessive rates.
- Non‑sensitive data exposure from public information or non‑actionable configuration.
- Best‑practice or purely informational items without security impact (see common low/informational below).
Common low / informational issues
These items are typically out of scope unless you can demonstrate a realistic exploit. Reports without clear impact may be closed as informational:
- Missing SPF/DMARC or weak email configuration without spoof/impact proof.
- Rate‑limit absences without demonstrated exploit to compromise confidentiality or integrity.
- Clickjacking on pages without sensitive actions.
- Minor header omissions (e.g.
X‑Frame‑Options,X‑XSS‑Protection) without impact. - Self‑XSS that requires the user to paste code into the console.
- Vulnerabilities in outdated browsers or platforms we do not support.
If you are unsure whether a finding is in scope, please submit the details; we will review case‑by‑case.
2.2 Testing Rules of Engagement
To protect users and systems, researchers must follow these rules:
- Use only accounts you own. Do not access or modify data that isn’t yours. Avoid PII/PHI; if encountered unintentionally, stop, capture minimal evidence and report immediately.
- Avoid service disruption: no DoS/DDoS, traffic floods or resource exhaustion.
- No social engineering (phishing, vishing) or physical intrusion.
- Respect rate limits and avoid automated scanning that impacts availability.
- No malware/ransomware deployment; no persistence or backdoors.
- Provide step‑by‑step reproduction with safe payloads. Include affected asset/version, expected vs actual behaviour and screenshots or videos when possible.
- If your test must involve elevated risk, request written approval first via info@aspidalabs.com.
2.3 Safe Harbor & Good‑Faith Protections
We commit that we will not pursue civil or criminal action and will not refer for law enforcement investigation if you:
- Act in good faith, comply with this policy and avoid privacy or availability harms.
- Make a best effort to avoid accessing or exfiltrating data; limit exposure to what is necessary to demonstrate the vulnerability.
- Promptly report the vulnerability with full details and do not exploit it beyond what is necessary for proof.
- Do not disclose vulnerability details to the public or third parties without following our disclosure policy (see Section 4).
If legal uncertainty arises, contact us at info@aspidalabs.com for clarification.
2.4 Eligibility & Recognition (Non‑Monetary)
We do not offer cash bounties under this VDP. Instead, eligible researchers receive public recognition and thank‑you certificates.
Eligibility requirements:
- Be the first to report a unique, previously unknown issue.
- Provide a high‑quality report with clear reproduction steps and realistic impact.
- Comply with all rules in this policy and applicable laws.
Recognition tiers (example):
- Gold: 3 or more High/Critical valid findings within 12 months.
- Silver: 1–2 High/Critical or 3 or more Medium valid findings within 12 months.
- Bronze: At least one valid finding (any severity).
We publish a Hall of Fame and issue digital badges/certificates. Researchers may opt out.
2.5 How to Report
Preferred channel: Submit via our Bugcrowd VDP page.
Alternate contact: info@aspidalabs.com
Please include: asset, endpoint, steps to reproduce, proof‑of‑concept, impact, likelihood, suggested fix and test account IDs used.
3 Service Levels & Triaging
3.1 Communication SLAs (Researchers)
We commit to the following service levels for researcher communication:
- Acknowledgement: within 1 business day.
- Initial triage outcome (valid/needs‑info/duplicate/out‑of‑scope): within 3 business days.
- Status updates: at least weekly until closure, or sooner on material changes.
Business days are Monday–Friday, excluding Aspida Labs holidays.
3.2 Severity Rating & Remediation Targets
We rate vulnerabilities according to CVSS v3.1 (with business context). CVSS v4.0 may be adopted later; we will note changes on the VDP page.
| Severity | CVSS (Base) | Example Impact | Target Fix (Prod) |
|---|---|---|---|
| Critical | 9.0–10.0 | Remote code execution; authentication bypass; data exfiltration at scale | 7 days |
| High | 7.0–8.9 | Privilege escalation; significant PII access | 14 days |
| Medium | 4.0–6.9 | Stored XSS; limited data exposure | 30 days |
| Low | 0.1–3.9 | Minor info leak; best‑practice gaps with minimal risk | 90 days |
| Informational | 0.0 | Non‑exploitable observation | As prioritised |
These timelines are targets and may vary with complexity, third‑party dependencies or safety constraints. We will communicate if targets cannot be met and agree on a revised plan.
4 Disclosure Policy & Legal Terms
Coordinated disclosure: After we validate and remediate, we may publish advisories and credit researchers.
Embargo period: Please do not publicly disclose details until 90 days after a fix (or earlier with our written consent). Extensions may be requested by either party in good faith.
No data retention: Delete any non‑public data obtained during research once no longer needed to verify the fix.
No warranties: This program does not create contractual obligations beyond the recognition noted herein.
Jurisdiction & compliance: Researchers must comply with all applicable laws, export controls and sanction regimes.