VaultCore TechnologiesVaultCore TechnologiesWhite-label prop firm infrastructure, built from the core.
Provider ReviewRequest Demo

Security

Security Responsible Disclosure Policy

VaultCore Technologies, Inc. — Effective Date: June 1, 2026

Our Commitment to Security

VaultCore Technologies, Inc. is committed to the security of our platform, infrastructure, and the data entrusted to us by Operators and their customers. We recognize that independent security research plays a valuable role in identifying vulnerabilities that help us better protect our systems and users. We welcome good-faith security research conducted in accordance with this policy.

This policy describes how to report security vulnerabilities to VaultCore, what researchers can expect from us in return, what activities are within scope of this policy, and the safe harbor protections we extend to researchers who comply with these guidelines.

Safe Harbor

VaultCore Technologies, Inc. extends safe harbor to security researchers who discover and report vulnerabilities in good faith in accordance with this policy. If you conduct security research and report findings consistent with these guidelines, VaultCore will:

  • Not pursue civil or criminal action against you for your research activities under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or applicable state computer crime statutes, solely in connection with research conducted within the scope of this policy;
  • Not file a complaint with law enforcement agencies regarding your research activities conducted in accordance with this policy;
  • Treat your research activities as authorized access to VaultCore systems for purposes of this policy.

Safe harbor protections apply only when research is conducted: (a) within the defined scope of this policy; (b) without intent to cause harm, data loss, or service disruption; (c) without unauthorized access to third-party systems or data; and (d) in compliance with all other requirements of this policy. Activities that violate any of these conditions are not protected by this safe harbor.

[ATTORNEY REVIEW NOTE: Review whether this safe harbor language is enforceable in Minnesota and whether any additional protections or qualifications are appropriate. Consider coordination with legal counsel before publishing.]

Scope: In-Scope Systems

This policy applies to security research targeting VaultCore-owned and -operated systems, including:

  • The VaultCore platform web application (vaultcoretechnology.com and associated subdomains operated by VaultCore);
  • VaultCore API endpoints;
  • VaultCore authentication and authorization systems;
  • VaultCore administrative portals and operator dashboards;
  • VaultCore infrastructure and cloud services operated directly by VaultCore.

Scope: Out-of-Scope Systems

The following systems and activities are explicitly out of scope for this policy:

  • Provider systems. Brokers, trading platforms, payment processors, KYC/AML vendors, market data providers, cloud hosting providers, and any other third-party service provider systems are not operated by VaultCore and are not in scope. Do not conduct security testing against provider systems.
  • Tenant Operator systems. White-label platforms, portals, and systems operated by VaultCore Tenant Operators under their own domain names and infrastructure are not VaultCore systems. Do not test Operator-operated systems without express written authorization from that Operator.
  • Social engineering attacks against VaultCore employees, contractors, or vendors;
  • Physical security attacks against VaultCore facilities or personnel;
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks;
  • Automated scanning that degrades service availability or performance;
  • Testing that involves accessing, modifying, or exfiltrating real user data.

If you are unsure whether a system or activity is in scope, contact us at [email protected] before proceeding.

Research Guidelines

To qualify for safe harbor protections under this policy, security research must comply with all of the following requirements:

  • Do not access data beyond what is necessary to demonstrate the existence of a vulnerability. Do not download, exfiltrate, copy, or retain any real user data;
  • Do not modify, delete, or destroy data or system configurations;
  • Do not disrupt services or degrade performance for other users;
  • Do not access accounts of real users without explicit consent from those users;
  • Do not conduct testing against provider or Operator systems as described in the Out-of-Scope section above;
  • Report findings promptly to VaultCore before making any public disclosure;
  • Cooperate with VaultCore during the investigation and remediation process.

Disclosure Process and 90-Day Timeline

VaultCore uses a coordinated disclosure process with a default 90-day timeline from the date of initial report to public disclosure. This timeline reflects our commitment to transparency while providing reasonable time for remediation.

The process is as follows:

  • 1. Submit. Send your vulnerability report to [email protected]. Include: a detailed description of the vulnerability; steps to reproduce it; the potential impact; and supporting evidence (screenshots, logs, or proof-of-concept code). For sensitive reports, request our PGP public key to encrypt your submission.
  • 2. Acknowledgment (within 2 business days). VaultCore will acknowledge receipt within two (2) business days and provide a tracking reference number.
  • 3. Investigation. VaultCore will investigate the reported vulnerability to assess its validity, severity, and scope. We will communicate with you during this phase and may request additional information.
  • 4. Patch and Remediation. VaultCore will develop and deploy a fix or mitigation. We will keep you informed of our progress throughout.
  • 5. Notification. Where required by applicable law or our contractual obligations, VaultCore will notify affected Operators and users following confirmation and remediation of a security issue.
  • 6. Public Disclosure. VaultCore will work with you to coordinate public disclosure at the earlier of: (a) ninety (90) calendar days from your initial report; or (b) the date VaultCore confirms a fix has been deployed and affected parties notified. VaultCore will communicate any requested extensions.

VaultCore will credit you for your discovery in public disclosures or security advisories, unless you prefer to remain anonymous.

What We Ask of Researchers

We ask that security researchers:

  • Report vulnerabilities to us privately before making any public disclosure;
  • Provide sufficient detail to allow us to understand and reproduce the issue;
  • Avoid exploiting the vulnerability beyond what is necessary to demonstrate its existence;
  • Not use vulnerabilities to access, exfiltrate, or tamper with data belonging to other users;
  • Comply with all applicable laws in connection with your research;
  • Engage in good faith with VaultCore throughout the disclosure and remediation process.

Bug Bounty

VaultCore does not currently operate a public bug bounty program offering monetary rewards. We deeply appreciate the work of the security research community and will publicly acknowledge researchers who responsibly disclose valid vulnerabilities in accordance with this policy (unless you prefer anonymity). We reserve the right to introduce a formal bug bounty program in the future.

Contact

To report a security vulnerability or to request our PGP public key for encrypted submission, please contact:

VaultCore Technologies, Inc. — Security Team
Minneapolis, Minnesota
[email protected]

For general legal or compliance inquiries: [email protected]. For non-security platform questions: [email protected].

Effective Date: June 1, 2026. VaultCore Technologies, Inc. — Minneapolis, MN.