Responsible Disclosure
We take the security of Vimy and our customers' data seriously. If you've discovered a vulnerability, we want to hear from you.
How to report a vulnerability
Email your findings to:
[email protected]Include as much detail as possible: a description of the vulnerability, steps to reproduce, the affected component or URL, potential impact, and any proof-of-concept code or screenshots.
We will acknowledge receipt of your report within 48 hours.
We will provide an initial assessment within 5 business days.
We will keep you informed of our progress toward resolution.
We will not pursue legal action against researchers acting in good faith.
We will credit you in our security acknowledgments if you wish โ and if the vulnerability is confirmed and fixed.
What's in scope
- The Vimy web application (app.vimyhq.com)
- The Vimy marketing website (vimyhq.com)
- The Vimy API
- The Vimy agent
What's out of scope
- Third-party services and integrations (Cloudflare, Google Workspace, Canadian cloud infrastructure, Stripe)
- Social engineering or phishing attacks against Vimy employees
- Physical attacks against Vimy infrastructure
- Denial of service attacks
- Automated scanning that degrades service for other users
We ask that you
- Give us reasonable time to address the issue before disclosing publicly.
- Do not access, modify, or delete data belonging to other users or tenants.
- Do not degrade the availability or performance of Vimy services.
- Act in good faith โ test only within the defined scope and minimize any potential harm.
- Do not use automated tools that generate excessive traffic or could impact other customers.
Safe Harbor
Vimy considers security research conducted in accordance with this policy to be authorized and will not initiate legal action against researchers who comply with these guidelines. If legal action is initiated by a third party against a researcher who has complied with this policy, we will make reasonable efforts to make it known that the researcher's actions were authorized.