Found something? Tell us. We will not bite.

hello@cloudvoro.com

Or the canonical machine-readable record at /.well-known/security.txt.

Plain email is fine. If you would prefer to encrypt, request the PGP public key in your first message and we will send it back over a separate channel.

• Authentication bypass on /loginmanage or any admin surface.
• Cross-site scripting (reflected, stored or DOM-based) anywhere on the public site.
• Server-side request forgery (SSRF) — including via the free attack-surface scan engine.
• SQL / NoSQL injection on any input.
• Insecure direct object reference (IDOR) — access to leads, scans, audit logs you should not see.
• Subdomain takeover on any *.intellixit.com or *.cloudvoro.com name.
• Email authentication misconfigurations on our own outbound (SPF / DKIM / DMARC).
• Secret leakage in build artefacts, source maps or front-end bundles.
• Rate-limit bypass on the free scan or contact form.
• Anything that would let you read another user's lead data, scan output or admin session.

• Denial of service of any kind — volumetric, application-layer, or otherwise. The free scan is not a load-test target.
• Social-engineering attacks against our staff, our clients, or anyone on Cashel Blue, Ballypatrick, or any of our named operators.
• Physical attacks on our offices, our staff homes, or our service partners.
• Reports based purely on missing best-practice headers without an exploitable demonstration.
• Reports that require a victim to install a malicious browser extension or to be already compromised.
• Self-XSS without a reasonable attack vector.
• Vulnerabilities in third-party services we use (please report to them directly — see Subprocessors).
• Marketing / lookalike-domain claims — those are an Intellix internal monitoring concern.

If you act in good faith, only target the in-scope surfaces above, do not exfiltrate data beyond what is strictly necessary to demonstrate the issue, and give us reasonable opportunity to remediate before public disclosure, then:

• We will not pursue civil or criminal action against you under the Computer Misuse Act (UK), the Criminal Justice (Offences Relating to Information Systems) Act 2017 (IE), or equivalents elsewhere.
• We will not initiate, or support, legal action by third parties against you for the conduct of your research, where it remained inside the scope above.
• We will work with you on coordinated public disclosure if you wish, and credit your finding on this page if you would like attribution.

• Acknowledgement: within 2 working days of your initial report.
• Triage decision: within 5 working days.
• Status update: every 7 days until the issue is closed or accepted as risk.
• Remediation target: critical = 7 days, high = 30 days, medium = 90 days, low = next planned release.
• Public credit on this page, if you want it. We do not run a paid bounty programme at this time, but we may send a small thank-you (a printed copy of the Intellix services brochure, or a coffee voucher for a research session) for material findings.

• One issue per email — easier to triage.
• Reproducible steps, with a curl / browser command we can run.
• Affected URL or component name.
• Browser / OS / time of test, so we can correlate logs.
• The impact you believe it has — what an attacker could do with it.
• If relevant: a screen recording or short video. Strip anything sensitive before sending.

We support coordinated disclosure 90 days after first contact (or 30 days after a fix is confirmed live, whichever comes first). If you would like to publish earlier, we will work with you on timing.

No public credits yet. Your name could be the first. (And we mean that — being first on a small VDP carries weight in interviews and grant applications.)

• Privacy Notice — what we do with personal data.
• Terms of Service — including the Acceptable Use Policy for the free scan.
• Data Processing — per-flow data-processing detail.
• Subprocessors — our full vendor list.