Vanguard VDP

laet4x.com

Disclosure Policy

This policy defines the rules of engagement, scope, and disclosure process for Vanguard VDP. All researchers must read and agree to this policy before submitting a report.

Program Overview

The Vanguard VDP is our commitment to working collaboratively with the global security research community. We welcome good-faith reports of security vulnerabilities affecting laet4x.com and its associated infrastructure.

Valid reports receive acknowledgment within 48 hours and a triage decision within 7 business days. Researchers who identify and responsibly disclose qualifying vulnerabilities are eligible for public recognition on our Hall of Fame.

Scope

In Scope

  • vanguard.laet4x.com
  • laet4x.com

Out of Scope

The following will not be accepted as valid vulnerability reports:

  • Phishing, smishing, or social engineering attacks
  • Physical security issues
  • Denial of Service (DoS/DDoS) attacks or testing
  • Vulnerabilities in third-party services not under our control
  • UI/UX issues, typos, or cosmetic bugs without security impact
  • Informational findings (e.g. banner disclosure, missing headers) with no demonstrated exploitability
  • Best practice recommendations without a proof-of-concept demonstrating real risk
  • Self-XSS or attacks requiring physical device access
  • Rate limiting issues without demonstrated business impact
  • Theoretical vulnerabilities that cannot be reproduced

What to Include in a Report

Incomplete reports may be closed without triage. High-quality submissions are reviewed faster. Please include:

  • Vulnerability type — e.g. XSS, IDOR, SQL Injection, SSRF, authentication bypass
  • Affected asset — URL, endpoint, parameter, or component
  • Severity assessment — your estimated impact (Critical / High / Medium / Low)
  • Steps to reproduce — clear, step-by-step instructions
  • Proof of concept — screenshots, HTTP request/response logs, or PoC code
  • Impact statement — what an attacker could achieve by exploiting this issue
  • Suggested remediation (optional but appreciated)

Disclosure Process

1

Submit

Sign in and submit your report through the platform with full reproduction details.

2

Triage

Our security team reviews, validates, and assigns a severity rating within 7 business days.

3

Remediation

We develop and test a fix. We may request clarification or invite collaboration on the patch.

4

Resolution

Once resolved, we close the report and update its status. Qualifying researchers are added to the Hall of Fame.

Rules of Engagement & Safe Harbor

Researcher Obligations

  • Only test against assets explicitly listed in scope
  • Do not access, exfiltrate, modify, or destroy data belonging to others
  • Do not disrupt production services or degrade availability
  • Do not publicly disclose findings before we have had the opportunity to remediate
  • Act in good faith — no extortion, threats, or demands
  • Comply with all applicable laws throughout your research

Our Commitment to Researchers

  • We will not pursue legal action against researchers who comply with this policy
  • We will respond to all valid reports within 48 hours of receipt
  • We will keep you informed of triage and remediation progress
  • We will recognize qualifying researchers publicly in our Hall of Fame
  • We will coordinate disclosure timing with you in good faith