Legal
Vulnerability Disclosure Policy
Verdant welcomes responsible disclosure of security vulnerabilities. If you have found a security issue on our website or infrastructure, please report it.
How to report
Email security@verdant.party with details of the vulnerability. Please include steps to reproduce, any proof of concept, and your contact details for follow-up.
Safe harbour
We will not pursue legal action against anyone who reports a vulnerability in good faith, provided they:
- Do not access or modify data beyond what is necessary to demonstrate the vulnerability
- Do not cause damage to systems or data
- Do not disclose the vulnerability publicly before we have resolved it
- Act in good faith to improve our security
Response timeline
| Stage | Target |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 5 working days |
| Critical vulnerability fix | Within 72 hours |
| High vulnerability fix | Within 10 working days |
| Medium/low fix | Next release cycle |
Machine-readable disclosure
/.well-known/security.txt — RFC 9116 compliant.