Security

At ViceWire Pty Ltd, we take security seriously. We encourage responsible disclosure of potential vulnerabilities to help us keep our platform safe for all users.

Scope

This policy applies to any vulnerabilities you are considering reporting in our public-facing services, including:

• https://vicewire.ai and all subdomains
• Our web applications and APIs

Our Commitments

When you report a vulnerability to us in good faith:

• We will not take legal action against you for security research conducted in good faith and in line with this policy.
• We will respond to your report as quickly as reasonably possible.
• We will keep you informed as we triage and investigate your submission.
• Where appropriate, we may credit security researchers by name with their consent.

How to Report

To report a vulnerability, please email:

security@vicewire.ai

Include, where possible:

• A detailed description of the vulnerability
• Steps to reproduce
• Affected URLs, endpoints, or components
• Any relevant attachments (screenshots, logs, proof-of-concept, etc.)

Please avoid including sensitive personal data in your report unless strictly necessary to demonstrate impact.

In-Scope Examples

Examples of issues that are generally considered in scope:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication or authorisation bypass
• Server-side code injection
• Sensitive data exposure
• Broken access control / insecure direct object references

Out-of-Scope Examples

The following are not in scope for this policy:

• Social engineering of ViceWire employees, contractors, or users
• Spam, DoS, or DDoS attacks
• Use of automated scanners that generate excessive traffic or noise
• Issues affecting third-party services not under ViceWire's control
• Self-XSS or issues that require a compromised device or browser

If you're unsure whether something is in scope, you can still contact us and we'll clarify.

Responsible Research Guidelines

To help keep everyone safe, please:

• Do not exploit a vulnerability beyond what is necessary to prove its existence and impact.
• Do not access, modify, or download data that does not belong to you.
• Do not intentionally disrupt service availability or degrade performance for other users.
• Give us a reasonable amount of time to investigate and resolve the issue before any public disclosure.

Reports that follow these guidelines will be treated as good-faith research.

Security Incident Response Process

In the event of a security incident, ViceWire Pty Ltd will follow a structured incident response process:

1. Identification – Detect and confirm the security incident, including assessing scope and impact.
2. Containment – Isolate affected systems or components to prevent further damage.
3. Eradication – Eliminate the root cause of the incident (for example, misconfigurations, compromised credentials, or vulnerable code).
4. Recovery – Restore systems and operations to normal and monitor for recurrence.
5. Post-Incident Analysis – Review the incident, our response, and any gaps, and implement improvements to reduce the likelihood and impact of future incidents.

Where legally required or appropriate, communication will be sent to impacted users and relevant stakeholders.

Changes to This Policy

We may update this policy over time. The current version will always be available at:

https://vicewire.ai/