Security

We take the security of your data and our service seriously. This page lists the technical safeguards in place and explains how to report a vulnerability if you find one.

Independently verified

The public surfaces of vaapadcapital.com are configured against modern web-security baselines. The badges below link to independent third-party scanners — click any of them to verify our current grade live with the issuing scanner. We do not host or cache these scores.

What this protects

• End-to-end encrypted with TLS 1.3
• HTTPS enforced everywhere
• HSTS — no HTTPS downgrade possible
• Certificates restricted via CAA
• DNS signed with DNSSEC
• Strict Content Security Policy
• Anti-clickjacking and MIME-sniff protections
• Email auth: SPF · DKIM · DMARC
• Bot & abuse mitigation at the edge
• Continuous certificate transparency monitoring
• Zero-Trust authentication on member areas

Reporting a vulnerability

If you have discovered a security issue affecting any of our services, we want to hear from you. Please do not disclose it publicly until we have had a chance to investigate and remediate.

Machine-readable contact information following RFC 9116 is also available.

Scope

• The website at vaapadcapital.com and its subdomains
• Our authentication, dashboard and member areas
• The APIs we expose to authenticated users

Out of scope

• Third-party services we integrate with — please report those upstream
• Reports without a clear, demonstrable technical impact
• Social engineering, physical attacks, denial-of-service
• Best-practice nitpicks already covered by our public scanner scores above

Safe harbor

Good-faith research conducted in accordance with this policy will not result in legal action from us. Please do not access, modify, or delete data belonging to other users; stop testing as soon as you can confirm an issue and report it.

Acknowledgements

No reports yet. If you are the first to responsibly disclose a finding, you will be credited here with your permission.

← back to home