Found a bug in Vakteye?

What happens after you send it

• We get back to you within five working days. A real person, not an auto-reply.
• We agree on severity together. If we disagree with your read, we explain why. If you disagree with ours, we re-open the conversation.
• We fix it. Critical and serious issues close within 90 days. Smaller ones can take longer if a proper fix needs more work; we tell you what's going on.
• We coordinate with you on public disclosure. You can ask for credit, you can ask for silence, both are fine.

You have our permission to test

You can test anything at vakteye.comand our subdomains in good faith. We won't take legal action against researchers who play fair.

Playing fair means:

• Stop at proof — don't deepen access once you confirm the bug
• If you accidentally see another customer's data, stop and tell us immediately
• Don't destroy or change anything
• Don't overwhelm production with automated tools
• Give us reasonable time to fix before talking publicly

What we won't spend time on

Some things we already know about and have decided are acceptable, and some things just aren't real bugs. Reports about the following won't move forward:

• Missing recommended security headers without an actual exploit
• Email-spoofing or domain-DNS configuration suggestions
• Denial-of-service or resource-exhaustion attacks
• Self-attacks that require the victim to do something silly
• Output from a generic security scanner with no real impact attached
• Best-practice or hardening recommendations

About bounties

We don't pay cash bounties yet — we're a small Swedish company building toward our first customers. What we offer instead: public credit at disclosure (if you want it), a direct line to engineering for follow-up findings, and a written record of your work that you can share. When we have a paid programme we'll publish the terms here.