Responsible Disclosure
Report suspected vulnerabilities to security@buyvps.us with a clear description, affected URL, reproduction steps, impact, screenshots or proof-of-concept details, and your contact information.
Do not publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and remediate it.
Rules of Engagement
Do not access, alter, delete, download, or disclose data that does not belong to you. Do not run destructive tests, denial-of-service tests, spam, phishing, social engineering, physical attacks, or tests against customer VPS instances without authorization.
Testing must be limited to your own account and resources unless we provide written authorization.
Safe Harbor
When research is performed in good faith, follows this policy, avoids harm, and is promptly reported, we will not intentionally pursue legal action solely for the security research. This does not authorize activity that violates law or affects third parties.
Response Process
We aim to acknowledge credible reports within 3 business days, triage based on severity, request additional details where needed, and provide status updates when practical.