XtrinelXTRINEL

Legal

Security & Responsible Disclosure

Last Updated: April 10, 2026

Xtrinel builds offensive-security tooling, so we take the security of our own stack seriously. This page describes how to report a vulnerability you have found in Xtrinel or VAAST, what is in scope, what is not, and how quickly we will respond.

1. How to Report

Send vulnerability reports to [email protected]. If the report contains sensitive material, you can encrypt it with our PGP key, available on request at the same address.

A useful report usually includes:

  • A clear description of the vulnerability.
  • A minimal reproduction — ideally a script, request, or payload we can run end-to-end.
  • The affected endpoint, version, or environment.
  • An assessment of the impact as you understand it.
  • Your name or handle if you would like public acknowledgment.

2. Our Commitments

When you submit a report in good faith under this policy, we commit to:

  • Acknowledge receipt of your report within 72 hours.
  • Assign a triage owner within five business days and keep you updated as we investigate.
  • Credit you in the fix notes or on this page, unless you prefer to remain anonymous.
  • Not pursue legal action against researchers who follow this policy and act in good faith.

3. In Scope

The following assets are in scope for responsible disclosure:

  • xtrinel.com and all public subdomains operated by Xtrinel.
  • dashboard.xtrinel.com — the VAAST web dashboard.
  • The VAAST API endpoints documented in our public docs.
  • The VAAST client binaries we distribute to customers (local privilege escalation, credential exposure, supply-chain issues).

4. Out of Scope

The following are explicitly out of scope:

  • Denial-of-service testing, volumetric testing, or anything that would degrade the Services for other customers.
  • Social-engineering attempts targeting Xtrinel employees, contractors, customers, or vendors.
  • Physical attacks against our offices or infrastructure.
  • Findings on third-party services that happen to integrate with Xtrinel (for example, Stripe, Microsoft Entra ID, or our hosting providers). Report those directly to the respective vendor.
  • Reports generated purely by automated scanners with no demonstrated impact.
  • Issues requiring physical access to an unlocked device, or requiring a user to run arbitrary code on their own machine.

5. Safe Harbor

We will not pursue civil or criminal action against researchers who (a) make a good-faith effort to comply with this policy, (b) avoid privacy violations, destruction of data, and service degradation, (c) use only the accounts they own or have explicit permission to test, and (d) give us a reasonable opportunity to remediate before any public disclosure. If a third party pursues legal action against a researcher who complied with this policy, we will make that compliance known to the extent we are permitted to do so.

6. Public Disclosure

We prefer coordinated disclosure and will work with you to agree on a public disclosure timeline once a fix is available. Our default is ninety days from the date we acknowledge your report, though we will accelerate or extend by mutual agreement based on severity and customer impact.

7. Contact

[email protected] for vulnerability reports. For general security questions about the VAAST platform, see the privacy policy or email [email protected].