Building the AI-native SOC for the 99% of companies who can't justify a $500K stack.
Coordinated disclosure

Found something in our stack? Tell us — we owe you a real answer.

We're a security company. We hold ourselves to a higher bar than the industry we're displacing. Every report gets a triage response from a founder within 24 hours, a real timeline within 5 business days, and a written post-mortem if the issue is material.

Scope & safe harbor

In scope.

  • vulneron.com and all subdomains
  • app.vulneron.app — the customer console
  • api.vulneron.app — the agent control plane
  • The agent runtime running in customer cloud, against a read-only role
  • The connectors we ship for AWS, GCP, Azure, Okta, Google Workspace, GitHub, k8s

Out of scope.

  • Social engineering of Vulneron staff
  • Physical attacks against offices or staff
  • Self-XSS that needs the victim to paste into the console
  • Missing security headers without a working exploit
  • SPF / DMARC issues on non-mail subdomains
  • Reports from automated scanners with no working PoC

Safe harbor.

If you act in good faith, stay within scope, give us reasonable time to remediate, and don't intentionally degrade customer data or service, we will not pursue legal action and will publicly thank you (or honor your request to stay anonymous).

Timeline you can plan against

What happens after you press send.

No black box. No "thanks, we'll get back to you" auto-responder. Every report gets handled by an engineer who can actually fix it.

Within 24h

Triage acknowledged by a human

A founder or senior engineer reads the report. You get back a triage verdict, a CVSS draft, and an internal ticket reference.

Within 5 business days

Reproduction & timeline

We confirm reproduction, finalize severity, and commit to a fix window. Critical/High get same-week patches. Medium/Low get a date you can hold us to.

Within 30 days

Remediation shipped

For Critical & High we publish a write-up alongside the fix. For Medium we cut a release note.

Within 90 days

Public disclosure

By default we publish within 90 days of report — earlier if patched, later only with your explicit consent. You get a co-byline if you want one.

Hall of fame coming Q3. Until then we'll thank you by name in the release notes.

Found something? security@vulneron.com