Vectra AI Vulnerability Disclosure Policy

Introduction

At Vectra AI, we consider the security of our systems a top priority. Despite our best efforts to ensure the security of our systems, vulnerabilities may still exist. We appreciate the efforts of security researchers who invest their time and skills to help us identify and address these vulnerabilities, thereby enhancing our security posture.

This Vulnerability Disclosure Policy outlines how you can report vulnerabilities to us, what we expect from security researchers, and what you can expect from us in return.

Response Targets

Vectra AI, Inc. (Disclosure Program) will make a best effort to meet the following SLAs for hackers participating in our program:

We'll try to keep you informed about our progress throughout the process.

Program Scope

We encourage the submission of the following types of web application vulnerabilities including but not limited to:

• Cross-site scripting
• Cross-site request forgery in a privileged context
• Server-side code execution
• Authentication or authorization flaws
• Injection Vulnerabilities
• Directory Traversal
• Information Disclosure
• Significant Security Misconfiguration

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will be closed.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Only interact with accounts you own or with explicit permission of the account holder.

• Current or former employees of Vectra AI are not eligible for the program.

• Add an identifying HTTP header to your traffic where possible:

  • To help us quickly and reliably match web requests to your HackerOne/portal submission, please include an identifying HTTP header when reproducing an issue on our public-facing systems.
  • Header name: X-Bug-Bounty
  • Recommended contents: a short non-PII identifier issued by the disclosure portal (for example a portal username or one-time submission token).
  • Examples:
    • X-Bug-Bounty: portal-username=alice123
    • X-Bug-Bounty: token=H1-abc123
  • Important notes:
    • Do not send personal data (email, phone number, real name, passwords, or other PII) in this header.
    • Always use HTTPS when sending the header.
    • Including the header is strongly encouraged and will help speed tracking and triage, but it will not be the sole proof of report ownership — always also file the report on our HackerOne/portal.

Out of Scope

When reporting potential vulnerabilities, please consider (1) realistic attack scenarios, and (2) the security impact of the behavior. Below, you will find the most common false positives we encounter. The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact.

Theoretical vulnerabilities that require unlikely user interaction or circumstances

• Vulnerabilities only affecting users of unsupported or End of Life browsers
• Broken link hijacking
• Open redirects (unless you can demonstrate additional security impact)
• Tabnabbing
• Content spoofing and text injection issues
• Attacks requiring MITM or physical access to a user's device

Theoretical vulnerabilities that do not demonstrate real-world security impact

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on forms with no sensitive actions (e.g., Logout)
• Permissive CORS configurations without demonstrated security impact
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.

Optional security hardening steps / Missing best practices

• SSL/TLS Configurations
• Lack of SSL Pinning
• Lack of jailbreak detection in mobile apps
• Cookie handling (e.g., missing HttpOnly/Secure flags)
• Content-Security-Policy configuration opinions
• Optional email security features (e.g., SPF/DKIM/DMARC configurations)
• Most issues related to rate limiting and brute force behaviors

Additional exclusions

• Known CVEs are excluded for a reasonable period of time following the public availability of a patch (typically 30 days).
• Any activity that could lead to the disruption of our service (DoS, DDoS).
• Social engineering of our employees or contractors, unless explicitly authorized.
• Attacks against our physical facilities, unless explicitly authorized.
• Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.
• Attacks requiring disabling Man In The Middle (MITM) protections.
• Attacks only affecting obsolete browsers or operating systems.
• Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.
• Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
• Issues that require unlikely user interaction by the victim.
• Portals that are operated by 3rd parties: we'll not reward 3rd party vendor vulnerabilities (ie. those in their apps), but we will accept any misconfigurations that is responsibility of Vectra, leading to vulnerabilities, data leaks, etc.

Reporting Guidelines

Reporting Process

Submit your findings via HackerOne or through our reporting email at [email protected]

Include detailed information to help us reproduce and validate the issue.

Report Requirements

A high-quality report should include:

• Clear description of the vulnerability
• Step-by-step reproduction instructions
• Impact assessment
• Supporting materials (screenshots, proof-of-concept code, etc.)
• Any ideas for remediation

Safe Harbor Provisions

Security researchers who:

• Make a good faith effort to comply with this policy
• Report a vulnerability directly to us
• Avoid privacy violations, service disruption, data destruction, or harm to others

will receive:

• No legal action related to the research
• No legal action from Vectra for accidental violations of this policy
• Authorization under the Computer Fraud and Abuse Act (and similar laws) for your security research

Note: This safe harbor applies only to legal claims under Vectra AI's control and does not bind third parties.

Our Commitments

Communication Timeline

• Initial Acknowledgement: We will acknowledge your report within 2 business days
• Assessment: We will assess and validate reports within 2 business days
• Regular Updates: We will provide status updates throughout the remediation process

Remediation Timeline

We strive to resolve vulnerabilities within the following timeframes although can vary based on severity and complexity:

Disclosure Policy

Coordinated Disclosure

We request that all vulnerabilities remain confidential during the remediation period.

Public disclosure may occur 30 days after remediation is complete, subject to:

• Approval of such disclosure by a member on the Vectra AI Team
• Vectra AI confirming remediation is complete
• Disclosure not including sensitive information or details that could harm our users
• A draft of the disclosure being shared with Vectra AI at least 7 days prior to publication

Extensions

We may request additional time for complex vulnerabilities requiring extensive remediation. In such cases:

• We will clearly communicate the reasons for the extension
• We will provide a revised timeline for resolution
• We will continue to provide regular status updates

Joint Disclosure

For significant findings, we welcome the opportunity to coordinate joint disclosure announcements that highlight both the researcher's discovery and Vectra AI's remediation efforts.

Vectra AI reserves the right to request confidentiality for vulnerabilities that could pose significant risk if disclosed prematurely.

Recognition Program

Researcher Acknowledgment

With your permission, we will provide a public acknowledgment of your contribution when appropriate.

Legal Considerations

Data Protection and Privacy

• Do not access, modify, or store personal data you may encounter
• Immediately delete any personal data inadvertently collected
• Report any potential privacy violations immediately

Prohibited Activities

The following activities are strictly prohibited:

• Accessing, modifying, or destroying data belonging to other users
• Executing or attempting Denial of Service attacks
• Social engineering of Vectra AI employees or contractors
• Physical attempts to access Vectra AI facilities
• Automated or excessive scanning causing service degradation

Contact Information

For any questions about this policy:

📧 [email protected]

To report security vulnerabilities:

📧 [email protected]

Policy Updates

This policy may be updated from time to time. We will announce significant changes through our website and direct communication with active researchers.

Last Updated: November 12th, 2025

Thank you for helping keep Vectra AI, and our users safe!