Vulnerability Disclosure Program
VERIDU welcomes coordinated vulnerability reports and provides safe-harbor protections for good-faith security research.
Framework alignment: ISO/IEC 29147 and CISA BOD 20-01 disclosure program guidance.
Scope
| Category | In scope | Out of scope |
|---|---|---|
| Domains | veridu.id, *.veridu.id, dashboard.veridu.id | Third-party hosted marketing pages not controlled by VERIDU |
| APIs | /api/*, /api/v1/*, /sdk/* endpoints | Third-party processor APIs |
| SDK assets | /sdk/verify/*, /sdk/identity/* | Customer-modified forks and custom wrappers |
| Operational systems | Verification, identity, billing, webhooks, trust-center workflows | Subprocessor-owned infra controls |
Safe harbor
VERIDU will not pursue legal action against researchers who, in good faith, follow this policy, avoid privacy violations, avoid service disruption, and promptly report discovered vulnerabilities through approved channels.
- Do not access, modify, or exfiltrate customer data beyond the minimum needed for proof-of-concept.
- Do not perform denial-of-service, spam, social engineering, or physical attacks.
- Use only your own accounts/test data unless explicitly authorized.
- Allow VERIDU a reasonable remediation window before public disclosure.
How to report
Preferred intake: /security/report.html · Email fallback: security@veridu.id.
For encrypted submissions, use VERIDU's PGP key: /.well-known/security-pgp.asc.
Response SLA: acknowledgment within 24h, triage within 72h, initial remediation plan within 10 business days.
Program roadmap
VERIDU currently operates this public VDP and plans a private bug bounty rollout with managed platform workflows before expanding to a broader researcher audience.