Vulnerability Disclosure Program

Last updated: October 2025

1. Purpose

Security is at the core of everything we do at Eventsair. While we have a strong security program and controls in place, we understand that no system is perfect.

This Vulnerability Disclosure Programme (VDP) enables external security researchers, ethical hackers, and other individuals to report potential vulnerabilities in our systems in a responsible, coordinated manner.

2. Scope and Applicability

This programme applies to EventsAir-operated systems and domains, including http://eventsair.com and our public APIs.

If a vulnerability is classified as Critical or High, we will acknowledge receipt and respond within 3 business days. All other reports will be handled within 7 to 14 business days.

3. Guidelines for Responsible Disclosure

We encourage responsible testing and reporting of security issues. We will not pursue legal action against individuals who:

  • Identify and report a vulnerability in good faith.
  • Have express permission from EventsAir to conduct testing.

Researchers must avoid actions that could degrade service, access unauthorised data, or impact the privacy and integrity of EventsAir customers or systems.

4. Out of Scope

The following activities are not authorised under this programme:

  • Denial-of-service (DoS) or distributed DoS (DDoS) testing.
  • Social engineering or phishing attempts against EventsAir employees or partners.
  • Testing of systems or applications not owned or operated by EventsAir.
  • Use of automated scanning tools that generate excessive traffic.

5. Reporting Process

To report a vulnerability, please send an email to and include the following information:

  1. Description of the vulnerability and affected system or component.
  2. Steps to reproduce or proof-of-concept.
  3. Your contact details and whether you wish to be publicly acknowledged.
  4. Any other relevant evidence (e.g., screenshots, logs, or payloads).

We recommend encrypting sensitive details using PGP or a secure communication channel when sharing exploit information.

6. Data Handling & Compliance

We collect only the minimal personal data required to investigate your submission and maintain internal controls for vulnerability management, incident response, and secure development.

This includes:

  • Personal data provided in your report will be processed solely for vulnerability triage and remediation.
  • Data will not be shared beyond EventsAir’s security and development teams without your consent.
  • You may request deletion of your personal data at any time.

EventsAir complies with relevant privacy and security standards, including ISO 27001 and SOC 2 Trust Criteria, and maintains internal processes for responsible vulnerability management.

7. Timelines & Acknowledgement

To ensure safety and compliance, do not:

  • Engage in social engineering or phishing.
  • Perform physical security testing.
  • Conduct denial-of-service attacks.
  • Use automated tools that generate excessive traffic.

8. Legal Safe Harbor

  • We will acknowledge receipt of your report within 3 business days for Critical or High-severity issues, or within 7 business days for all others.
  • Once triaged, we will provide an update on our remediation plan or request further information if required.
  • We aim to publish a coordinated disclosure within 90 days of fix deployment, unless exceptional circumstances require more time.

9. Changes to the Programme

We may update this Vulnerability Disclosure Programme at any time. The most recent version will always be indicated by the “Last updated” date above. Please check this page periodically to ensure you have the latest guidance.

10. Recognition

We appreciate the efforts of security researchers who help us improve our security posture. With your consent, EventsAir may acknowledge your contribution publicly once the issue has been remediated.

11. Questions?

If you have any questions regarding this program or your findings, feel free to contact us at