Security Disclosure Policy

Last updated: 18 April 2026

We take the security of our platform and our clients' projects seriously. If you believe you've found a vulnerability, we want to hear about it. This page describes how to reach us, what happens after you report, and the protections we extend to good-faith researchers.

How to report

  • ·Email security@vinetech.co.ke with a clear technical summary.
  • ·Include the affected URL, a reproduction, and any proof-of-concept.
  • ·If the report is sensitive, request a PGP key in the first message and we will respond with one.

What you can expect

  • ·Acknowledgement within 3 business days.
  • ·A technical triage response within 7 business days, including whether the finding is in-scope, severity, and next steps.
  • ·Regular updates until the report is resolved or explicitly closed.

Scope

  • ·vinetech.co.ke and subdomains we operate.
  • ·First-party applications we host for clients (staging and production).
  • ·Reports about third-party services we simply use (Google, Cloudflare R2, Resend, Africa’s Talking, etc.) should be sent directly to those vendors.

Out of scope

  • ·Denial-of-service attacks or load testing.
  • ·Automated scanner output without a working proof-of-concept.
  • ·Missing security headers on pages that handle no sensitive data.
  • ·Social engineering of employees or clients.

Safe harbor

  • ·We will not pursue civil or criminal action against good-faith researchers who follow this policy.
  • ·Do not access data that is not your own, do not modify data you do not own, and do not disrupt service.
  • ·If you inadvertently access such data, stop, delete any copies, and tell us immediately.

security.txt

A machine-readable copy of this policy lives at /.well-known/security.txt, per RFC 9116.