We appreciate your help in finding bugs and identifying vulnerabilities in Veil! Please don't post security issues in the public issue tracker and use the contacts mentioned below instead.
For all security related issues, Veil has three main points of contact:
- James Burden, (4x13) https://keybase.io/4x13
- Tom Bradshaw (presstab), https://keybase.io/presstab
- Florian Maier (marsmensch), https://keybase.io/marsmensch
Please send all communications to those parties and expect a reply within 72h.
The Veil project is committed to the best practices around safe harbor for good-faith security research outlined at http://disclose.io/. There is nothing considered out-of-scope for testers and researchers following the rules outlined in this policy.
Vulnerability details may be shared with third parties after the vulnerability has been fixed and the program owner has provided permission to disclose or after 90 days from submission, whichever is sooner.
We are currently working on the creation of a formal reward policy. Until this policy is available, we will decide on a case to case basis and researchers should not expect a specific reward. Veil project is nonetheless grateful for all legitimate discoveries of vulnerabilities, and is happy to acknowledge the vulnerability and the researchers after a fix has been widely deployed.