Coordinated disclosure

Report a vulnerability.

If you believe you have found a security issue affecting Vectra's own systems or a Vectra-branded customer portal, we want to hear from you. We commit to triage within one business day, communicate transparently through remediation, and credit you for responsible disclosure if you wish.

Email security@vectra-corp.com Download PGP key
Safe harbour

Good-faith research is welcome.

Vectra will not pursue civil, criminal or administrative action against researchers who work with us in good faith, stay within the scope below, follow the do/don't list, and disclose responsibly. We reserve action only against conduct that causes harm to our customers or our systems.

This commitment does not bind third parties. If your testing interacts with systems we don't operate, you are responsible for securing separate authorisation.

In scope

What we want to hear about.

  • vectra-corp.com and all subdomains
  • The Vectra customer portal (portal.vectra-corp.com)
  • Vectra-hosted customer applications explicitly branded as Vectra
Out of scope

What to route elsewhere.

  • Third-party SaaS products we use internally (report those directly to the vendor)
  • Customer-hosted applications not branded as Vectra
  • Denial-of-service, brute force and social-engineering against Vectra personnel
  • Physical attacks against Vectra offices
  • Findings dependent on user interaction with outdated browsers or unsupported OS

Please do

  • Report vulnerabilities as soon as you believe they are real - don't wait for full impact
  • Provide enough detail to reproduce the issue: URL, request, expected vs actual
  • Give us a reasonable window to respond and remediate before public disclosure
  • Use the PGP key below for any report that includes sensitive technical detail

Please don't

  • Don't access or exfiltrate customer data beyond the minimum needed to demonstrate impact
  • Don't modify, delete or damage data or systems
  • Don't publicly disclose the issue before we have had a chance to remediate
  • Don't attempt privilege escalation into customer tenants

What happens after you send a report.

  1. 01

    Acknowledged

    You receive a confirmation from a named Vectra engineer within one business day.

  2. 02

    Triaged

    We validate, reproduce and assign a severity. If anything is unclear we'll ask before moving on.

  3. 03

    Remediated

    Fix is scheduled based on severity - critical issues ship same-day if possible; others land in the next patch window.

  4. 04

    Closed out

    You receive the fix summary and, if you'd like, credit on our acknowledgements page.

PGP

Encrypt sensitive reports.

Use the key below for any report containing exploit steps, credentials or customer-identifying data. Key is rotated annually.

Key ID : 0xA7F9 3C14 5B2D 88E0 Fingerprint : 5B2D 88E0 · A7F9 3C14 · E211 4D1B · 77CA 9F02 · 2026 0101 Owner : Vectra Security Team <security@vectra-corp.com> Expires : 2027-01-01 Full armoured public key is published at vectra-corp.com/.well-known/security.txt