Vulnerability Disclosure Policy
xthAB Limited, England and Wales
1. Introduction
xthAB Limited values the security community and welcomes responsible disclosure of vulnerabilities in Villip systems. This policy follows the NCSC Vulnerability Disclosure Toolkit and RFC 9116.
2. Scope
The following systems are in scope:
- villip.xyz and all subdomains
- Villip APIs (api.villip.xyz)
- Villip Tenant Portal (portal.villip.xyz)
The following are out of scope:
- Third-party services used by Villip (report directly to the provider)
- Social engineering or physical attacks
- Denial of service attacks
3. How to Report
Send vulnerability reports to security@villip.xyz. Include:
- Description of the vulnerability and its potential impact
- Steps to reproduce
- Affected URL, endpoint, or component
- Any proof-of-concept code or screenshots
- Your contact information for follow-up
4. Our Commitment
- Acknowledge receipt within 2 business days
- Provide an initial assessment within 5 business days
- Keep you informed of remediation progress
- Credit you in our security acknowledgements (with your permission)
- Not pursue legal action against researchers who act in good faith and comply with this policy
5. Responsible Disclosure Guidelines
- Do not access, modify, or delete data belonging to other users
- Do not degrade the performance or availability of our services
- Allow reasonable time for remediation before public disclosure (90 days)
- Do not use automated scanning tools at high volume without prior coordination
6. security.txt
Our security.txt file is available at /.well-known/security.txt in compliance with RFC 9116.