Security & Responsible Disclosure

We believe that coordinated, good-faith security research makes software safer for everyone. We are committed to:

• Investigating and addressing all legitimate reports in a timely manner
• Keeping researchers informed about the status of their reports
• Not pursuing legal action against researchers who act in good faith and follow this policy
• Publicly acknowledging researchers who report valid vulnerabilities, where permission is given

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorised.

If at any time you are unsure whether your research is consistent with this policy, please contact us at security@analyse.net before proceeding.

The following assets are in scope for security research under this policy:

The following are explicitly out of scope:

• Denial of service (DoS / DDoS) attacks, volumetric testing, or any activity that degrades service for other users
• Social engineering of Analyse staff, customers, contractors, or vendors (phishing, pretexting, vishing, smishing)
• Physical attacks against offices, data centres, or hardware belonging to us or our sub-processors
• Attacks against third-party services we integrate with (Vercel, Stripe, Resend, MongoDB, Tebex, etc.) — please report those directly to the respective vendor
• Findings produced exclusively by automated scanners without a working proof-of-concept
• Reports of missing security headers, outdated libraries, or TLS configuration without a demonstrable exploit path
• Self-XSS, tab-nabbing, clickjacking on pages without sensitive actions, and similar low-severity issues
• Vulnerabilities requiring physical access to a user's device, a rooted or jailbroken device, or a malicious extension already installed
• Rate-limiting or brute-force issues on endpoints without authentication

To qualify for safe harbor, you must:

• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
• Only interact with accounts you own, or with the explicit permission of the account holder
• Not access, modify, or delete data belonging to other users — stop as soon as you have enough information to demonstrate the vulnerability
• Not exfiltrate data beyond the minimum necessary to prove the issue exists, and securely delete any proof-of-concept data after reporting
• Not exploit the vulnerability for any reason other than demonstrating it (no lateral movement, no persistence, no backdoors)
• Give us a reasonable amount of time to investigate and remediate before publicly disclosing the issue (see Section 08)
• Not submit reports produced by automated tooling without a manually verified proof-of-concept

Please send reports to security@analyse.net. A good report includes:

• A clear description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any proof-of-concept code, payloads, screenshots, or request/response pairs
• The asset affected (URL, endpoint, plugin version, SDK version)
• Your name or handle if you would like to be credited

Please report in English or Dutch where possible, and encrypt sensitive details if you would like — we can arrange a PGP key on request.

If we cannot reproduce an issue or believe it falls outside the scope of this policy, we will explain our reasoning so you can follow up if you disagree.

We ask that you give us a reasonable amount of time to remediate a reported vulnerability before publicly disclosing it. Our default window is 90 days from the date of initial report, which aligns with common industry practice.

If a fix requires more time due to complexity, dependencies on third parties, or the need to coordinate with affected customers, we will communicate that to you and agree on an extended timeline in good faith.

We are happy to credit researchers by name or handle in release notes or a dedicated acknowledgments page when a report leads to a fix, if you would like to be credited.

We do not currently run a paid bug bounty program. Reports are reviewed and remediated on a best-effort basis, and researchers who materially contribute to the security of the platform may be credited as described in Section 08.

We may introduce a bounty program in the future. Any changes to this policy will be reflected on this page and in the /.well-known/security.txt file.

This policy is governed by and construed in accordance with the laws of the Hellenic Republic (Greece). Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of Athens, Greece.

Nothing in this policy is intended to waive or limit the rights of researchers under applicable law, or to create obligations inconsistent with the Terms of Service or Privacy Policy.

For security-related reports and questions, contact security@analyse.net. For all other inquiries, see the contact@vertcodedevelopment.com address listed in our other legal documents.