Vulnerability Disclosure Policy (VDP)

Effective Date: April 7, 2026

Venator Cyber Operations Group (“Venator,” “we,” “us,” or “our”) is committed to maintaining the security and integrity of our systems. We welcome reports from security researchers and the public to help identify and remediate vulnerabilities responsibly.

This policy outlines how to report vulnerabilities and the expectations for responsible disclosure.

1. Purpose

The purpose of this Vulnerability Disclosure Policy is to:

  • Provide a clear process for reporting security vulnerabilities

  • Define acceptable testing activities

  • Protect good-faith security researchers

  • Ensure vulnerabilities are addressed in a timely and responsible manner

2. Scope

This policy applies to the following systems:

  • Public-facing websites owned and operated by Venator Cyber Operations Group

  • Domains and subdomains of venatorcyber.io

  • Publicly accessible services hosted by Venator

Out of Scope

The following are not authorized for testing:

  • Third-party systems or services not owned by Venator

  • Client environments, data, or infrastructure

  • Any systems requiring authentication without explicit permission

  • Denial of Service (DoS/DDoS) testing

  • Social engineering (phishing, pretexting, etc.)

  • Physical attacks or attempts to access facilities

3. Guidelines for Responsible Disclosure

We ask that you:

  • Act in good faith to avoid privacy violations, data destruction, or service disruption

  • Only test systems within the defined scope

  • Use non-destructive methods to identify vulnerabilities

  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue

  • Immediately stop testing if you encounter sensitive data and report it to us

4. Prohibited Activities

The following activities are strictly prohibited:

  • Exploitation of vulnerabilities beyond proof-of-concept

  • Attempting to access or retrieve sensitive data

  • Introducing malware or persistent backdoors

  • Conducting automated high-volume scanning that impacts availability

  • Attempting to pivot into internal or client systems

  • Public disclosure of vulnerabilities without prior authorization

5. Safe Harbor

Venator will not pursue legal action against individuals who:

  • Act in good faith

  • Follow this policy and its guidelines

  • Report vulnerabilities promptly and responsibly

We consider activities conducted in accordance with this policy to be authorized.

If your research inadvertently violates any laws, we will work with you in good faith and support safe harbor protections where applicable.

6. Reporting a Vulnerability

Please report vulnerabilities by emailing:

📧 security@venatorcyber.com

Include the following details:

  • Description of the vulnerability

  • Steps to reproduce the issue

  • Affected URL(s) or systems

  • Potential impact

  • Any proof-of-concept (screenshots, logs, or code)

7. Response and Disclosure Process

Venator will:

  • Acknowledge receipt of your report within a reasonable timeframe

  • Investigate and validate the issue

  • Provide updates as appropriate

  • Remediate confirmed vulnerabilities in a timely manner

We request that you:

  • Allow us reasonable time to investigate and remediate before public disclosure

  • Coordinate with us if you wish to publish findings

8. Recognition

At this time, Venator does not offer a bug bounty program. However, we may acknowledge responsible disclosures at our discretion.

9. No Client Impact Clause

Under no circumstances should testing involve:

  • Client data

  • Client systems

  • Any environment not explicitly owned and operated by Venator

Violations of this clause may result in legal action.

10. Policy Updates

We may update this Vulnerability Disclosure Policy periodically. Changes will be posted on this page with an updated effective date.

11. Contact

For vulnerability reports and questions:

support@venatorcyber.io