The Blue Vault Contact
Legal·Disclosure

Found something? Tell us.

If you believe you've found a security vulnerability in our website, infrastructure, or client-facing portals — we want to hear from you. We provide safe harbor for good-faith research conducted under this policy.

Effective May 13, 2026 · Acknowledged within 24h · security.txt available

Safe harbor

The Blue Vault will not pursue civil action, criminal complaint, or DMCA notice against researchers who:

  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Use only the systems and methods explicitly described as in scope below
  • Give us reasonable time to remediate before public disclosure
  • Do not attempt to access, modify, or destroy data belonging to anyone other than themselves

In scope

  • thebluevault.com and all subdomains we operate
  • Our published client portals (URLs documented in welcome packets)
  • Our public APIs (where documented)
  • Mobile applications we publish under "The Blue Vault" name

Out of scope

  • Client environments we manage — disclosure for those is governed by each client's own policy. Reach the client directly or contact us and we'll route.
  • Third-party services we use as subprocessors — disclose to the vendor (Microsoft, Cloudflare, etc.).
  • Social engineering of staff, physical access to our offices, or anything that puts a human at risk.
  • Denial-of-service testing, traffic flooding, brute-force at scale.
  • Findings from automated scanners with no manual validation (we get a lot of these and they slow real triage).

How to report

Encrypt your report with our PGP key (fingerprint and key block in our /.well-known/security.txt) and send to security@thebluevault.com. Include:

  • A clear description of the vulnerability
  • Steps to reproduce
  • Impact assessment, in your words
  • Whether you'd like public credit, and if so under what handle

What you can expect

  • Within 24 hours — acknowledgment from a human
  • Within 5 business days — triage decision and severity rating
  • Within 30 days — remediation plan with target dates (or a clear "won't fix" with reasoning)
  • On request — credit on our public hall of fame, link to your handle

What we don't do

We do not currently operate a paid bug bounty. We do not have a third-party platform (HackerOne, Bugcrowd) — submissions come directly to us. We may revisit this in a later policy revision.

security.txt

Our .well-known/security.txt file is published per RFC 9116 with the same contact and PGP key information.