Vertex

Guidelines and Scope

Vertex considers all of our products as valid vulnerability research targets. However, researchers are expected to use caution and good judgement when testing Synapse Power-Ups which provide mechanisms for calling 3rd party APIs. Any costs incurred or policy violations of 3rd party terms of service are the responsibility of the individual researcher. Additionally, research against any on-prem customer or 3rd party deployments of Vertex products is expressly forbidden under the scope of this policy.

Provided you make a good faith effort to avoid triggering resource exhaustion or denial-of-service conditions, Vertex may be willing to provision a demo instance for use in your security research.

Forbidden Testing Methods

• Denial-of-service against Vertex hosted infrastructure
• Physical testing
• Social engineering
• Any other non-technical vulnerability testing

What We Would Love to See in a Vulnerability Report

• A clear and detailed description of the steps needed to reproduce the vulnerability
• A proof-of-concept script or screenshots (ideally)
• Any non-default configuration changes or example data required where possible

What to Expect from Us

We will acknowledge receipt of your vulnerability disclosure within 3 business days. After that, we will triage the vulnerability and coordinate with you about the timelines for us to deploy fixes and/or issue a public statement. We are happy to provide public acknowledgement in our changelog for the version which addresses the issue :)