vmp.one

Security

Last updated: May 2, 2026

We take the security of vmp.one and the customer data we process seriously. This page covers how to report an issue, what's in scope, and what to expect from us. For additional security artifacts under NDA — SOC 2 reports, pentest summaries — contact your account manager or sales@vmpone.com.

Report a vulnerability

security@vmpone.com

Email a clear description, reproduction steps, and the impact you believe the issue has. We acknowledge every report within 2 business days.

If you don't hear back within 2 business days, the email may have been caught by spam filters — re-send with a subject line of SECURITY: <one-line description>.

Please give us time to investigate before public disclosure. Coordinated disclosure protects the customers we both want to keep safe.

Scope

In scope

The vmp.one API (api.vmpone.com) and its agent endpoints
The customer-facing app (app.vmpone.com)
The login surface (auth.vmpone.com)
The marketing site (vmpone.com) — to the extent that an issue could affect customer trust
Workflow integrations (webhook signature handling, OAuth flows)
Multi-tenant data isolation (cross-tenant data exposure is a critical issue category for us)

Out of scope

Denial-of-service through traffic volume
Spam or social-engineering attacks against staff
Third-party services we depend on (report those to the vendor; our sub-processor list names them)
Self-XSS that requires the user to paste attacker-controlled code
Missing security headers without a demonstrated impact

Severity and SLAs

We classify findings on a four-level scale aligned with CVSS v3.1 base scores:

Severity	Triage SLA	Fix or mitigation SLA
Critical (cross-tenant exposure, RCE, auth bypass)	24 hours	7 days
High (privilege escalation, sensitive data exposure within a tenant)	5 business days	30 days
Medium (info leak, broken access control with limited reach)	5 business days	90 days
Low (hardening, defense-in-depth)	10 business days	best-effort

Mitigation can mean a temporary block (rate limit, feature flag off) while a permanent fix is in progress. We disclose mitigation status to the reporter.

What we will not do

We will not pursue legal action against good-faith security research that stays within scope and respects customer data. If you stumble into customer data while reproducing an issue, stop, document what you saw at a high level (do not exfiltrate), and report it.
We will not require an NDA to discuss a vulnerability you found.
We will not silently fix and pretend the issue didn't happen.

Disclosure

After a fix is deployed, we coordinate a public advisory within 30 days, crediting the reporter (with their permission). For critical issues that affected production data, we notify affected customers directly within 72 hours of confirmed breach for incidents involving personal data.

How we keep customer data safe

The full threat model and security policy are public on GitHub. At a glance:

Multi-tenant isolation. Every tenant's data is partitioned at the database layer with Entity Framework global query filters. The escape hatch for admin code is a single, audited code path.

Append-only audit log. Postgres trigger blocks UPDATE on the audit table. Customers can export their full audit trail to their own SIEM via our export API.

Encryption at rest. Volume-level encryption on production storage; application-level encryption for cloud-account credentials. We're migrating those credentials to KMS-backed envelope encryption with per-decrypt audit trail (in progress).

Continuous self-scanning. We run our own platform on our own platform. Trivy and OWASP Dependency-Check run in CI; findings flow into the same VMP instance our customers use.

Compliance

SOC 2 Type I attestation is in progress as of Q2 2026. The Type II observation window begins immediately after Type I lands. Pentest summaries and SOC 2 reports are available to qualified customers under NDA.

Trust artifacts

Sub-processor list — every third-party service that can see customer data, with 30-day notice on changes
Status page — real-time component health
SECURITY.md — full security policy
Threat model — high-blast-radius surfaces and what we do about each
Audit log export API — for customer SIEM ingestion

Contact

For security reports: security@vmpone.com.
For data-protection / privacy questions: privacy@vmpone.com.
For sales / commercial questions about security artifacts: sales@vmpone.com.