Skip to content

Policy Center

Vantus legal policies

Client-facing terms, privacy, accessibility, data processing, copyright, security reporting, and vendor disclosures for Vantus Systems public services.

Responsible Disclosure

If you find a vulnerability in a Vantus-controlled system, report it safely. We want to fix real issues quickly while protecting customers, data, and researchers acting in good faith.

EffectiveJune 5, 2026

Safe harbor

Vantus will not pursue legal action against security researchers for good-faith testing that follows this policy, avoids privacy and service harm, and gives us a reasonable opportunity to remediate before public disclosure. This safe harbor does not authorize access to third-party systems, customer data, employee data, physical premises, or systems outside Vantus control.

How to report

Email vulnerability reports to security@vantus.systems. Include enough information for us to reproduce, assess, and prioritize the issue.

  • A clear description of the vulnerability and affected asset.
  • Steps to reproduce the issue using your own account or non-sensitive test data.
  • Potential impact and whether personal data, credentials, regulated data, or customer data may be involved.
  • Screenshots, logs, proof-of-concept code, or request/response samples when they do not expose third-party data.
  • Your preferred contact information and whether you want public credit after remediation.

Response targets

Stage
Target
Initial acknowledgement
Within 24 hours
Triage and severity assessment
Within 72 hours
Status update for validated reports
Within 7 days
Critical fix target
As soon as practical, with emergency escalation where needed

In scope

  • Public Vantus domains and applications controlled by Vantus.
  • Authentication, authorization, session, form, and privacy-sensitive flows controlled by Vantus.
  • Client portal or admin surfaces only when you have an authorized test account or written permission.
  • Security headers, access controls, exposure of secrets, and unintended public data disclosure.

Out of scope and prohibited testing

  • Accessing, exfiltrating, modifying, deleting, or disclosing customer, employee, or third-party data.
  • Denial-of-service, load testing, spam, phishing, social engineering, physical attacks, or coercion.
  • Installing malware, ransomware, persistent backdoors, cryptominers, or destructive payloads.
  • Testing third-party services outside Vantus control unless the third party separately authorizes it.
  • Public disclosure before Vantus has had a reasonable opportunity to validate, remediate, and notify affected parties where required.

Privacy-sensitive findings

If a vulnerability may involve personal data, protected health information, personal health records, child data, biometric data, credentials, or regulated financial data, stop testing immediately after confirming the issue and report it. Do not download, copy, retain, or share the data. Vantus will evaluate legal notice obligations under the applicable privacy, health, breach, and security rules.

Public disclosure

Please coordinate disclosure with us. We support researcher credit when the report is valid, the researcher followed this policy, and disclosure will not create additional risk for users or customers.

Related policies

See also the Privacy Policy, Terms of Service, and Data Processing Agreement.