Vulnerability Disclosure Policy

Introduction

At Várri Consultancy ("Várri"), we are committed to maintaining the security and integrity of our services and protecting the confidentiality of client and user data. This Vulnerability Disclosure Policy outlines our process for receiving, triaging, and remediating security vulnerabilities reported by external researchers.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. Várri reserves the right to update this policy at any time.

We value the work of independent security researchers and encourage responsible disclosure in good faith.

Authorisation

If you are acting in good faith to identify and report vulnerabilities on Várri’s systems, while complying with this policy, we will consider your research to be authorised. We will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorisation known.

Guidelines

Authorised Research

Under this policy, “research” means activities in which you:

• Notify us in line with this policy as soon as possible after you discover a real or potential vulnerability.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm the presence of a vulnerability.
• Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.

Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Unauthorised Activities

The following test methods are not authorised and must not be used:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Using a so-called “brute force” attack to access any systems
• Performing actions that could degrade service availability or performance
• Placing malware (virus, worm, Trojan horse, etc.) on any system
• Compromising any systems using exploits to gain full or partial control.
• Using attacks on physical security or physical testing (e.g. office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
• Accessing, copying, or modifying data that is not your own
• Making changes to the system
• Using automated tools to scan our systems without permission
• Publicly disclosing the issue before coordination and remediation
• Any unlawful means.

This policy does not authorise any breach of law or violation of any contractual obligations (including our Terms of Use).

Reporting a Vulnerability

What We Would Like to See from You

Information submitted under this policy will be used for defensive purposes to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Várri, we may share your report with the relevant entity. We will not share your name or contact information without express permission.

We accept vulnerability reports via our contact form or by email to hello@varri.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within five business days. We do not support PGP-encrypted emails.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Várri related to your submission.

To help us triage and prioritise submissions, we recommend that your reports be written in English and include:

• A description of the location (e.g., affected URLs, systems, or components) where the vulnerability was discovered and the potential impact of exploitation.
• A detailed description of the steps needed to reproduce the vulnerability, including proof-of-concept scripts or screenshots, if available.
• Your contact details (optional).

What You Can Expect from Us

When you report a vulnerability in good faith in line with this policy, and if you share your contact information with us, we will:

• Acknowledge receipt of your report within five business days
• To the best of our ability, confirm the existence of the vulnerability to you and be as transparent as possible about the steps we are taking during the remediation process, including any issues or challenges that may delay resolution
• Provide regular updates on the remediation progress
• Keep your personal information confidential (unless you consent to acknowledgement)
• Not pursue legal action against you for reporting in accordance with this policy

Acknowledgments

We are grateful to individuals and organisations who take the time to report security issues in good faith. Your contributions help us uphold the integrity, confidentiality, and resilience of our services. Where appropriate and with your consent, we may publicly acknowledge your responsible disclosure on our Security Acknowledgements page.