Security

Independently verified

The public surfaces of vaapadcapital.com are configured against modern web-security baselines. The badges below link to independent third-party scanners — click any of them to verify our current grade live with the issuing scanner. We do not host or cache these scores.

What this protects

• ✓End-to-end encrypted with TLS 1.3
• ✓HTTPS enforced everywhere
• ✓HSTS — no HTTPS downgrade possible
• ✓Certificates restricted via CAA
• ✓DNS signed with DNSSEC
• ✓Strict Content Security Policy
• ✓Anti-clickjacking and MIME-sniff protections
• ✓Email auth: SPF · DKIM · DMARC
• ✓Bot & abuse mitigation at the edge
• ✓Continuous certificate transparency monitoring
• ✓Zero-Trust authentication on member areas

Reporting a vulnerability

If you have discovered a security issue affecting any of our services, we want to hear from you. Please do not disclose it publicly until we have had a chance to investigate and remediate.

Machine-readable contact information following RFC 9116 is also available.

Scope

• The website at vaapadcapital.com and its subdomains
• Our authentication, dashboard and member areas
• The APIs we expose to authenticated users

Out of scope

• Third-party services we integrate with — please report those upstream
• Reports without a clear, demonstrable technical impact
• Social engineering, physical attacks, denial-of-service
• Best-practice nitpicks already covered by our public scanner scores above

Safe harbor

Good-faith research conducted in accordance with this policy will not result in legal action from us. Please do not access, modify, or delete data belonging to other users; stop testing as soon as you can confirm an issue and report it.

Acknowledgements

No reports yet. If you are the first to responsibly disclose a finding, you will be credited here with your permission.