Vulnerability Disclosure Policy
Introduction
Effective Date: July 15, 2026
BlueVoyant is a cybersecurity company, and we hold ourselves to the same standard we ask of our clients: if you find a security weakness in our systems, we want to know about it. BlueVoyant supports responsible, coordinated vulnerability disclosure as part of strengthening the broader cybersecurity ecosystem.
This policy explains which BlueVoyant systems are in scope for security research, how to report a vulnerability to us, and what you can expect from us in return. We welcome reports from independent security researchers, and we are committed to working with the security community to verify, respond to, and resolve any vulnerabilities reported to us.
Scope
This policy applies to internet-facing systems and services owned and operated by BlueVoyant, including:
- www.bluevoyant.com and www.bluevoyantgov.com and their associated subdomains
- BlueVoyant customer- and partner-facing portals and platform applications (e.g., the BlueVoyant Cyber Defense Platform login and application surfaces)
This policy does not cover:
- Any system, network, or environment belonging to a BlueVoyant client or third party, including environments BlueVoyant monitors, manages, or remediates on a client's behalf as part of our services. If you believe you have found a vulnerability in a client's environment, please contact that organization directly.
- Third-party services, products, or infrastructure that BlueVoyant uses but does not own or control (e.g., cloud providers, SaaS vendors). This exclusion applies to vulnerabilities in a provider's own infrastructure or platform. It does not apply to BlueVoyant applications or systems hosted on that infrastructure, which remain in scope. Please report infrastructure-level findings to the relevant vendor.
- Physical security of BlueVoyant offices or facilities.
If you are unsure whether a system is in scope, contact us before testing.
Our Commitment (Safe Harbor)
If you make a good-faith effort to comply with this policy while conducting security research, BlueVoyant will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and we will not pursue or recommend legal action against you for that research. If a third party initiates legal action against you for activities conducted in accordance with this policy, we will make this authorization known.
This authorization does not extend to research that violates the guidelines below, that targets systems out of scope, or that involves accessing, retaining, or disclosing data belonging to BlueVoyant clients or other third parties. Nothing in this policy authorizes conduct that violates applicable law or infringes the rights of any third party.
Guidelines
When conducting research under this policy, we ask that you:
- Notify us as soon as possible after discovering a real or potential security issue.
- Make every reasonable effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Use exploits only to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to exfiltrate data beyond what is needed to demonstrate the issue, establish persistent access, or pivot to other systems.
- Stop testing and notify us immediately if you encounter personal data, financial information, or proprietary/confidential information belonging to any party — and do not view, copy, transmit, or otherwise disclose that data.
- Give us a reasonable amount of time to investigate and remediate an issue before disclosing it publicly.
- Avoid submitting a high volume of low-quality or automated-scan-only reports.
Testing Methods That Are Not Authorized
The following are not permitted under this policy:
- Denial-of-service (DoS/DDoS) testing or any test that degrades or disrupts access to a system or data.
- Physical testing against BlueVoyant facilities (e.g., attempted building access, tailgating).
- Social engineering of BlueVoyant personnel, contractors, or clients (e.g., phishing, vishing, pretexting).
- Automated scanning that generates excessive traffic or otherwise degrades system performance.
How to Report a Vulnerability
Please report suspected vulnerabilities to [email protected].
Reports may be submitted anonymously, though anonymous submissions may limit our ability to investigate the issue or provide you with updates. If you share contact information, we will acknowledge receipt within 3 business days.
To help us triage your report efficiently, please include:
- The location or system where the vulnerability was discovered.
- A description of the potential impact.
- Step-by-step reproduction details, including proof-of-concept scripts or screenshots where possible.
- Whether you intend to publicly disclose the issue, and on what timeline.
Reports are used for defensive purposes only, to investigate and remediate the reported issue. We will not share your name or contact information without your express permission. Consistent with our Privacy Policy, any personal data you provide as part of a report is handled in accordance with that policy.
What You Can Expect From Us
- Acknowledgment of your report within 3 business days.
- We will assess each report and, where appropriate, confirm whether the issue has been validated.
- Open communication about our remediation timeline, including any factors that may delay resolution.
- Recognition for your discovery, provided only with your consent, once the issue is resolved and disclosure is coordinated. This policy does not itself establish a bug bounty or monetary reward program; any such program, and any reward eligibility under it, is governed separately and at BlueVoyant's discretion.
- BlueVoyant reserves the right not to respond to reports that are out of scope, duplicative of a previously reported issue, or that do not include sufficient information for us to investigate.
We ask that you coordinate the timing of any public disclosure with us and give us reasonable time to remediate before details are published.
Government Business Unit Addendum
BlueVoyant Government Solutions serves U.S. federal, state, local, and tribal government customers, and this policy applies equally to systems operated under that business unit. In addition to the terms above:
- If a report identifies a vulnerability that is likely to affect other vendors or agencies beyond BlueVoyant — not solely a BlueVoyant-specific issue — BlueVoyant may, at its sole discretion and subject to its legal and contractual obligations, share relevant technical details with the Cybersecurity and Infrastructure Security Agency (CISA), consistent with CISA's coordinated vulnerability disclosure process, to support broader remediation. We will not share your identity or contact information without your permission.
- This policy is intended to align with the vulnerability disclosure expectations set out in CISA Binding Operational Directive 20-01 and related federal guidance for government-facing systems and contractors.
- Nothing in this policy overrides the specific incident-reporting or vulnerability-disclosure terms of any individual federal contract, task order, or agreement BlueVoyant Government Solutions holds with a government customer; those contractual terms govern where they conflict with this public policy.
Questions
Questions about this policy, or suggestions for improving it, can be sent to [email protected].
BlueVoyant reserves the right to update this policy at any time. Material changes will be reflected by an updated effective date above.