Reporting a vulnerability

Email [email protected] with:

• A description of the vulnerability and its potential impact

• Steps to reproduce, including the affected component or version

• Any proof-of-concept code or example payloads, if applicable

• Your preferred name or attribution for public acknowledgement, if any

The maintainer reads this inbox directly. Reports are not routed to a help desk or shared inbox.

Response timeline

We aim to:

• Acknowledge receipt within 48 hours

• Provide an initial assessment within 5 business days

• Coordinate disclosure within 90 days of the initial report

If the issue is critical and requires immediate action, flag urgency in the subject line. We will respond as quickly as the situation requires.

Scope

In scope:

• The vsmcodex codebase, once published from 1 September 2026

• vsmcodex.org and the documentation site

• The methodology engine — calculation logic, data validation, output integrity

• Email infrastructure for [email protected] and [email protected]

  
  

Out of scope:

• Third-party dependencies — please report upstream where possible

• Social engineering of project staff

• Denial-of-service attacks against site infrastructure

• Issues requiring extraordinary access (physical access to maintainer hardware, prior compromise of the maintainer's accounts)

  
  

The commercial Verusum platform is governed by a separate security policy. Once Verusum's commercial site is live, vulnerabilities specific to that platform should be reported to the contact published there.

Coordinated disclosure

We follow coordinated disclosure: please give us a reasonable opportunity to investigate and patch before publishing details. The default coordination window is 90 days from the initial report. We will request an extension only if the fix requires regulatory coordination — for example, methodology changes that affect EU CBAM reporting compliance — and we will keep you informed throughout.

Safe harbor

We will not pursue legal action against security researchers who:

• Act in good faith

• Comply with this disclosure policy

• Avoid privacy violations, destruction of data, and service disruption

• Do not exploit the vulnerability beyond what is necessary to demonstrate it

We treat researchers acting under this policy as collaborators, not as threats.

Recognition

With your permission, we will acknowledge your contribution in the release notes for the version that addresses the issue, and post-launch in a SECURITY-ACKS.md file in the repository.

Bug bounty

There is no monetary bug-bounty programme during the pre-launch period. A formal programme is under consideration once the project reaches public scale; see /governance for the long-term plan.

Encryption

If you wish to encrypt sensitive disclosures, request our PGP public key by emailing [email protected]. A machine-readable RFC 9116 disclosure file is also published at /.well-known/security.txt for security tooling and automated scanners.