🔒 Responsible Vulnerability Disclosure Policy

            VSA encourages responsible disclosure of security vulnerabilities. We are committed to handling all security reports professionally and transparently.
        

📧 Security Contact

Primary Email: security@vsa.fr

Contact : https://vsa.fr/#Contacts

PGP Key: https://vsa.fr/.well-known/pgp-key.txt

Accepted Languages: French, English

📋 Types of vulnerabilities we're looking for

🔴 Critical Priority

Remote Code Execution (RCE)
SQL Injection allowing data access
Authentication bypass
Privilege escalation
Unauthorized access to user data

🟠 High Priority

Stored Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF) on critical functions
Local/Remote File Inclusion (LFI/RFI)
Sensitive data exposure
Access control bypass

🟡 Medium Priority

Reflected XSS
Technical information disclosure
Security configuration issues
Rate limiting bypass
Missing security headers

📝 Report Format

For efficient processing, your report should include:

Summary: Clear and concise description of the vulnerability
Impact: Potential consequences of exploitation
Reproduction Steps: Detailed step-by-step instructions
Proof of Concept: Screenshots, logs, or demonstrative code
Recommendations: Suggested fixes if available
Environment: Browser, OS, tools used

📧 Using Encryption

Strongly recommended for critical vulnerabilities:

Download our PGP key: curl https://vsa.fr/.well-known/pgp-key.txt
Import the key: gpg --import vsa-pgp-key.txt
Encrypt your report: gpg --armor --encrypt --recipient security@vsa.fr report.txt
Send the encrypted file by email

⏱️ Processing Timeline

🚀 Response Times

Acknowledgment: Within 24 hours
Initial assessment: Within 72 hours
Regular updates: Every 2 weeks
Resolution: According to criticality (see below)

🕐 Target Resolution Times

Critical: 7 business days
High: 30 business days
Medium: 90 business days
Low: 180 business days

🏆 Recognition Program

We recognize security researchers' contributions in several ways:

Hall of Fame: Public mention on our acknowledgments page
Recognition Certificate: Official thank you document
Professional Reference: Recommendation letter (upon request)

Note: VSA does not currently offer monetary bug bounties, but we are evaluating this possibility for the future.

⚖️ Legal Guidelines

🤝 Researcher Protection

VSA commits not to pursue legal action against researchers who:

Follow this disclosure policy
Do not attempt to access, modify, or delete data
Do not disrupt our services or those of our users
Do not publicly disclose the vulnerability before remediation
Report the vulnerability only to VSA

🚫 Prohibited Activities

Testing on accounts that don't belong to you
Extracting personal or confidential data
Modifying or deleting data
Load testing or denial of service
Social engineering or phishing
Destructive or invasive testing

📅 Coordinated Disclosure

📢 Publication Policy

Embargo: Minimum 90 days after initial report
Possible extension: If exceptional circumstances warrant it
Coordinated publication: After remediation and mutual agreement
Credit: Public attribution to discoverer (unless requested otherwise)

📞 Contact and Support

🆘 For Critical Emergencies

For critical vulnerabilities requiring immediate attention:

Send an email to security@vsa.fr with subject [URGENT] Critical Vulnerability
Encrypt content with our PGP key
We will respond within 4 hours during business hours

❓ Questions About This Policy

For any questions regarding this disclosure policy, contact us at security@vsa.fr

VSA Vulnerability Disclosure Policy

Version 1.0 - Last updated: June 27, 2025

This policy may be modified without notice. Please check this page regularly.