Vulnerability Disclosure Policy

1. Introduction

Varangian Group Ltd welcomes reports of security vulnerabilities in our websites, services, and infrastructure. We are committed to working with security researchers to verify and address potential vulnerabilities.

This policy describes how to report vulnerabilities, what to expect from us, and what we ask of you.

2. Scope

In Scope

• varangian.ai and varangian.co.uk (websites and associated services)
• Any publicly accessible Varangian infrastructure
• Varangian-developed tools or software (if any)

Out of Scope

• Third-party services, applications, or websites linked from our site
• Social engineering attacks against Varangian employees
• Physical security assessments of our premises
• Denial of service (DoS/DDoS) testing
• Spam or email-based attacks
• Client systems and infrastructure (these are governed by separate engagement agreements)

3. How to Report

Send your report to: security@varangian.ai

If you wish to encrypt your report, our PGP key is available at: [varangian.ai/.well-known/security.txt]

What to Include

• Description of the vulnerability and its potential impact
• Steps to reproduce (including URLs, parameters, screenshots, or proof-of-concept code)
• Your assessment of severity (if applicable)
• Your name and contact information (optional — anonymous reports are accepted)
• Any tools or techniques used in discovery

4. What We Ask of You

• Act in good faith — conduct research to identify vulnerabilities without causing harm
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
• Do not access, modify, or delete data belonging to others
• Do not disrupt our services or infrastructure
• Do not conduct denial-of-service attacks, social engineering, or physical testing
• Report promptly — notify us as soon as you identify a vulnerability
• Allow reasonable time for us to address the vulnerability before any public disclosure
• Comply with the law — ensure your research does not violate the Computer Misuse Act 1990 or other applicable legislation

5. What We Commit To

• Acknowledgement — We will acknowledge receipt of your report within 3 business days
• Assessment — We will assess the reported vulnerability and provide an initial response within 10 business days
• Communication — We will keep you informed of our progress in addressing the vulnerability
• Remediation — We will remediate confirmed vulnerabilities within a reasonable timeframe commensurate with the severity
• No legal action — We will not pursue legal action against researchers who act in good faith and comply with this policy
• Credit — With your permission, we will acknowledge your contribution when the vulnerability is disclosed

6. Safe Harbour

We consider security research conducted in accordance with this policy to be:

• Authorised with respect to the Computer Misuse Act 1990
• Conducted in good faith and not an intentional violation of our terms of service

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

This safe harbour does not extend to activities that:

• Cause harm to Varangian, its clients, or third parties
• Access or exfiltrate data beyond what is necessary to demonstrate the vulnerability
• Violate any law other than in a way that would be resolved by this policy's authorisation

7. Disclosure

We follow coordinated disclosure principles:

• We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
• We aim to resolve critical and high-severity vulnerabilities within 30 days and medium/low within 90 days
• We will coordinate with you on the timing and content of any public disclosure
• If we are unable to resolve the issue in a reasonable timeframe, we will discuss an appropriate disclosure timeline with you

8. Recognition

We do not currently operate a paid bug bounty programme. However, we value the contributions of the security research community and, with your consent, we will:

• Credit you by name (or chosen alias) in any advisory we publish
• Provide a letter of acknowledgement suitable for professional portfolio purposes

9. Contact

• Security reports: security@varangian.ai
• General enquiries: info@varangian.ai
• security.txt: [varangian.ai/.well-known/security.txt]

10. References

This policy is aligned with:

• NCSC Vulnerability Disclosure Toolkit
• ISO/IEC 29147:2018 — Vulnerability Disclosure
• disclose.io Safe Harbor