Last updated: 24 April 2026
We welcome good-faith reports of potential vulnerabilities in public Vezha services. This policy defines responsible testing and disclosure rules.
Scope
Public Vezha websites, APIs, and services that are owned or controlled by Vezha are in scope.
Third-party services, user accounts, social engineering, physical attacks, DDoS, spam, and destructive testing are out of scope.
Testing rules
Use the minimum testing needed to confirm a vulnerability. Do not access other people data, alter data, degrade availability, or store personal data.
Stop testing and notify us immediately if you accidentally access data or affect the service.
How to report
Send a description, reproduction steps, impact evidence, timestamps, URLs, test account, and response contact to security@vezha.io.
We aim to acknowledge, assess risk, and provide updates when practical.
Safe harbor
If you act in good faith, within this policy, and without harm to users, Vezha does not intend to initiate legal claims for the testing itself.
This policy does not authorize unlawful activity and does not create a bounty unless a separate written bounty program is announced.