# Security Disclosure Policy We welcome and value security research conducted in good faith. If you believe you have identified a vulnerability in our systems, services, or infrastructure, we encourage you to report it responsibly through our established security channel. Our goal is to work collaboratively with researchers to validate, prioritize, and remediate security issues in a timely and transparent manner. ## Reporting Channel Security vulnerability reports must be submitted exclusively to: **security@vtex.com** Reports submitted through any other channel will not be processed as vulnerability disclosures and may not receive a security response. ## How to Report a Vulnerability Your report should include: - Clear description of the vulnerability and the affected asset(s) - Step-by-step instructions to reproduce the issue - Proof of Concept (PoC), preferably minimal and non-destructive - Expected vs. actual behavior - Relevant request/response data, payloads, or logs (sanitized) - Screenshots or recordings demonstrating the issue - Timestamps and testing context (time, region, account used) - Suggested severity assessment (optional) - Your contact details for follow-up (optional — anonymous submissions are accepted, though providing contact details enables us to follow up and acknowledge your contribution) **Important:** Do not include sensitive customer data in your report. **Regarding AI-assisted reports:** You are responsible for manually validating any content generated by AI tools or automated scanners before submission. Reports that consist solely of tool output without manual analysis and a demonstrable PoC will not be accepted. ## Platform Scope VTEX is a multi-tenant commerce platform. This policy covers vulnerabilities in VTEX-owned and operated infrastructure, services, and platform components (vtex.com and related domains). **This policy does not cover:** - Individual merchant stores built on the VTEX platform — contact the respective merchant directly - Third-party integrations or services outside VTEX's control Performing security testing against the VTEX platform or any merchant store without prior written consent from VTEX constitutes a violation of our Master Services Agreement (MSA). The existence of this policy does not grant permission to conduct penetration tests or active scanning. ## Scope & Testing Guidelines You are expected to: - Act in good faith and avoid privacy violations, data destruction, or service disruption - Test only against accounts and assets you own or have been explicitly authorized to use — do not use accounts belonging to other merchants, customers, or employees - Stop testing immediately if you encounter sensitive data and report it to us You must **not**: - Access, modify, or exfiltrate data belonging to customers, employees, or third parties - Perform denial-of-service (DoS/DDoS) or resource exhaustion attacks - Conduct automated or high-volume scanning that impacts service stability - Attempt social engineering, phishing, or physical attacks - Exploit vulnerabilities beyond what is strictly necessary to demonstrate their existence ## Out of Scope The following will not be accepted as valid vulnerabilities: - Missing security headers (CSP, X-Frame-Options, etc.) without demonstrated impact - DNS or email configuration findings (CAA records, MTA-STS, DMARC, SPF, DKIM) without demonstrated exploitation impact - Self-XSS or issues requiring full control of the victim's browser or account - Publicly accessible CMS maintenance endpoints without demonstrated resource exhaustion impact - Rate limiting absence without demonstrated exploitation impact - Automated scanner output without manual validation and PoC - Vulnerabilities in third-party services outside our control - Social engineering or phishing simulations - Theoretical vulnerabilities without proof of exploitability - CVSS score inflation without supporting evidence - Merchant store misconfigurations that are the responsibility of the merchant to address ## Severity Assessment VTEX will perform its own independent severity assessment of all reported findings using CVSS scoring aligned with NIST NVD guidelines. Our internal classification may differ from the researcher's proposed severity based on: - Exploitability in the context of VTEX's platform architecture - Actual impact on customer data and platform integrity - Availability of compensating controls We will communicate our severity assessment to the reporter and provide technical justification if our classification differs materially from the submission. ## Bug Bounty / Rewards This is **not a public bug bounty program**. We do **not** guarantee monetary rewards for vulnerability reports. At our sole discretion, we may offer recognition or other forms of appreciation for impactful, well-documented findings. Details on public acknowledgment are described in the Recognition section below. ## Response & Handling Process We are committed to the following response targets: | Milestone | Critical (CVSS 9.0–10.0) | High (CVSS 7.0–8.9) | Medium (CVSS 4.0–6.9) | Low (CVSS 0.1–3.9) | |---|---|---|---|---| | Acknowledgment of receipt | 2 business days | 5 business days | 10 business days | 10 business days | | Initial triage and severity assessment | 15 days | 30 days | 45 days | Best effort | | Status updates | Every 15 days | Every 30 days | Every 30 days | On resolution | | Target remediation | 45 days | 60 days | 90 days | Team discretion | Response times may vary depending on report complexity and volume. We will communicate proactively if additional time is needed. Remediation deadlines reflect targets and may be extended for cases requiring architectural changes or risk acceptance under our internal governance process. ## Coordinated Disclosure We request a **90-day coordinated disclosure window** from the date of our acknowledgment before any public disclosure. This window may be: - Shortened by mutual agreement if remediation is completed and both parties agree - Extended by mutual agreement for complex issues requiring architectural remediation We ask that you: - **Do not publicly disclose** the vulnerability, assign a CVE, or share findings with third parties until the coordinated window has elapsed or mutual agreement has been reached - Coordinate with us in advance if you wish to publish your findings We aim to work with researchers toward a mutually agreed disclosure timeline and will not request indefinite embargo. When a valid vulnerability is confirmed, VTEX will coordinate CVE assignment through MITRE/NVD as appropriate. We ask that researchers refrain from self-assigning or publishing a CVE identifier before the coordinated disclosure window has closed or mutual agreement on disclosure has been reached. Early CVE publication without coordination undermines the remediation process and may expose platform users to unnecessary risk. ## Legal Safe Harbor We support responsible security research and will not pursue legal action against individuals who: - Act in good faith - Follow this policy - Do not intentionally harm our systems, users, or data - In the event of accidental access to sensitive data during testing, immediately notify our security team and refrain from retaining, copying, or disclosing that information This policy is governed by applicable law. If requested by our Security Team, you must cease testing immediately. ## Recognition We may publicly acknowledge researchers who responsibly disclose valid vulnerabilities, unless anonymity is requested. We appreciate your contribution to the security and integrity of our platform. *For questions about this policy, contact security@vtex.com.*