Vulnerability Disclosure Program

VERIDU welcomes coordinated vulnerability reports and provides safe-harbor protections for good-faith security research.

Framework alignment: ISO/IEC 29147 and CISA BOD 20-01 disclosure program guidance.

Scope

CategoryIn scopeOut of scope
Domainsveridu.id, *.veridu.id, dashboard.veridu.idThird-party hosted marketing pages not controlled by VERIDU
APIs/api/*, /api/v1/*, /sdk/* endpointsThird-party processor APIs
SDK assets/sdk/verify/*, /sdk/identity/*Customer-modified forks and custom wrappers
Operational systemsVerification, identity, billing, webhooks, trust-center workflowsSubprocessor-owned infra controls

Safe harbor

VERIDU will not pursue legal action against researchers who, in good faith, follow this policy, avoid privacy violations, avoid service disruption, and promptly report discovered vulnerabilities through approved channels.

How to report

Preferred intake: /security/report.html · Email fallback: security@veridu.id.

For encrypted submissions, use VERIDU's PGP key: /.well-known/security-pgp.asc.

Response SLA: acknowledgment within 24h, triage within 72h, initial remediation plan within 10 business days.

Program roadmap

VERIDU currently operates this public VDP and plans a private bug bounty rollout with managed platform workflows before expanding to a broader researcher audience.

Ready to go beyond 50K verifications?

$0.0015 per check. No subscription. No contracts. Pay only for what you use.

View Pricing →