Coordinated vulnerability disclosure

Our commitment to security

The security of our systems, products, and services is our top priority. We recognize security as an ongoing process that requires continuous evaluation of protective measures and adaptation to emerging threats. Collaboration with security professionals, customers, and the community enables us to proactively identify and mitigate risks before they pose a threat to our systems.

If you have identified a potential security risk or vulnerability in our infrastructure, we encourage you to report it to us securely and responsibly through our Coordinated Vulnerability Disclosure (CVD) program.

How to report a vulnerability

If you wish to report a security vulnerability, please follow these steps:

Contact our security team:

• 📧 E-mail: csirt@vnet.eu
• 🔐 Encrypted Communication: Use our PGP public key available at https://www.vnet.eu/pgp
• 🔗 More information about VNET-CSIRT security team found here

How we process your report

Once we receive your report, we commit to the following process:

• We will acknowledge receipt of your report within 2 bussiness days
• We will assess the severity and impact of the vulnerability and determine the next steps
• We will keep you informed of the progress and provide an estimated time for resolution
• Once resolved, we will notify you and may coordinate a public disclosure if appropriate

Guidelines for security researchers

• No activities that disrupt the availability of our systems (e.g., DDoS attacks, mass scanning).
• No unauthorized data access, modification, or deletion.
• Compliance with applicable legal regulations while conducting security research.

Legal notice

This policy does not authorize active testing of our systems without prior agreement. Unauthorized activities that violate laws or disrupt the operation of our systems may result in legal action. However, if you act in good faith and adhere to responsible disclosure principles, we commit to not taking legal action against you.