Vention Vulnerability Disclosure Policy


This policy aims to outline the process of reporting vulnerabilities in our services and products. We recognize the importance of security researchers in keeping our system safe and we request all researchers abide by this policy while disclosing vulnerabilities.


This policy applies to any discovered vulnerabilities in the digital systems owned, operated, or maintained by Vention.

How to report a vulnerability

All vulnerability reports should be sent via email to Please include as much information as possible, such as the steps to reproduce the vulnerability, the potential impact, and any possible mitigations. If possible, please include proof-of-concept code or screenshots.

You can use the following PGP key to encrypt the communication of sensitive information:


What to expect when you report a vulnerability

Vention will make its best effort to acknowledge valid & impactful reports within 5 business days. Our security team will review your report and determine the severity of the vulnerability. Once the evaluation is done, we will send a response indicating the next steps. Please refrain from publicly disclosing the vulnerability before we've had a chance to address it.

Based on the complexity of the vulnerability, Vention Security will provide status updates and further communications as work progresses to fix the vulnerability.

Safe Harbor

We will not initiate legal action against researchers who discover and report vulnerabilities in accordance with this policy. We consider such activities conducted in good faith under this policy to constitute "authorized" conduct. However, malicious use of a discovered vulnerability to negatively impact the availability, integrity, or confidentiality of Vention systems will negate safe harbor, and violate this policy.


The reporter agrees not to disclose the vulnerability to other parties until a vulnerability has been resolved.


While we can't promise rewards for every reported vulnerability, we prioritize rewarding the efforts of researchers who provide valuable input and comply with this policy. At the discretion of the Director of CyberSecurity, and within the budget limitations set by Finance, Vention will reward reporters of impactful High and Critical vulnerabilities which result in successful remediation.


Vulnerabilities which require end-users and customers to update Vention-managed software on their client devices will be disclosed in the changelog for that update. Where required, further publication’s will be posted on the Security section of the Vention website, and will follow the format guidelines set by ISO 29147.

Policy Guidance

Where appropriate and applicable, Vention strives to follow the processes laid out in ISO 29147.

Policy Updates

This policy may be updated from time to time, and we encourage all security researchers to periodically review this policy.

Contact Us

If you have any questions about this policy, please contact us at