Security Policy

Responsible Disclosure

We take the security of our products and our customers' environments seriously. If you've discovered a security vulnerability, we want to hear from you.

Scope

What's covered

The following defines what is and isn't in scope for responsible disclosure.

In Scope

  • VaultGuard360 application code and deployment templates
  • IAMGuard360 application code and deployment templates
  • Sentinel Vault Systems websites (sentinelvaultsystems.com, vaultguard360.com, iamguard360.com)
  • Our public APIs and documentation

Out of Scope

  • Customer Azure environments (we don't own those)
  • Third-party services we integrate with (Azure, Microsoft Graph, etc.)
  • Social engineering attacks against our employees
  • Physical attacks against our infrastructure
  • Denial of service attacks

Reporting

How to report a vulnerability

Include as much detail as possible:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code (if applicable)
  • Your contact information (optional, but helps us follow up)

Response

What to expect

We'll work with you to understand and validate the issue. We'll keep you informed as we work toward a fix.

StepTimeline
AcknowledgmentWithin 48 hours
Initial assessmentWithin 7 days
Status updateEvery 14 days until resolved
ResolutionDepends on severity, typically 30-90 days

Safe Harbor

Our commitment to researchers

If you follow this policy in good faith, we commit to protecting you.

We commit to:

  • Not pursuing legal action against you for your research
  • Not reporting you to law enforcement for your research
  • Working with you to understand and resolve the issue quickly

To qualify for safe harbor:

  • Don't access, modify, or delete data that isn't yours
  • Don't degrade or disrupt our services
  • Don't publicly disclose the vulnerability before we've had reasonable time to fix it
  • Don't use the vulnerability for any purpose other than reporting it to us

Recognition

We believe in recognizing researchers who help us improve our security.

  • We'll credit you publicly (with your permission) in our security acknowledgments
  • We're exploring a formal bug bounty program for the future

We don't currently offer monetary rewards, but we're committed to treating researchers with respect and transparency.

Questions?

If you're unsure whether something is in scope or want to clarify anything before testing, reach out first. We're happy to discuss.

security@sentinelvaultsystems.com