Vulnerability Disclosure Policy

At Validy SAS and Validy Net Inc, the security of our systems is a priority.

We want you to feel comfortable reporting vulnerabilities you have discovered, so that we can fix them to better protect our systems and our clients.



  • This policy currently applies only to the system
  • Any other system is excluded from scope and is not authorized for testing
  • Denial of service tests or social engineering are also excluded from scope and not authorized


We require that you

  • Engage in testing our systems without harming or disrupting Validy SAS, Validy Net Inc or their customers
  • Make every effort to avoid destruction or manipulation of data
  • Make every effort to avoid privacy violations
  • Only use your findings to the extent necessary to confirm a vulnerability
  • Submit your vulnerability report via email at:
  • Keep your findings about vulnerabilities confidential for up to 13 weeks after you have notified us


A report should

  • Be written in English
  • Include a description of the vulnerability and its potential impact.
    • Identification of the service impacted: IP address, hostname, URL, …
    • Type of issue: buffer overflow, xss, …
    • Any additional information deemed interesting to understand the issue and its dangerousness
  • Include a way for us to reproduce the issue
    • If possible a proof of concept or an URL
  • Include any additional information deemed interesting to reproduce/correct the issue



If you make a good faith effort to comply with this policy during your security research, Validy SAS and Validy Net Inc will consider your research to be authorized, we will work with you to understand and resolve the issue quickly and we will not initiate or recommend legal action related to your research.