• Home
  • Cookies Policy

Vulnerability Disclosure Policy (VDP)

Effective Date: August 10, 2025
(for Nassau Technologies, LLC – Devsey)


1. Purpose

At Nassau Technologies, LLC (“Company,” “we,” “our,” or “us”), we take the security of the Devsey platform (“Service”) seriously. This Vulnerability Disclosure Policy (“Policy”) is intended to establish a framework for security researchers to report potential vulnerabilities to us safely, legally, and responsibly.


2. Scope

This Policy applies to:

  • Devsey-owned applications, domains, and APIs;
  • The Devsey platform and its infrastructure.

This Policy does not authorize testing or research of:

  • Third-party integrations, vendors, or services;
  • Systems not owned or operated by the Company;
  • Social engineering, phishing, or physical security assessments.

3. Safe Harbor for Good-Faith Research

If you comply with this Policy when discovering and reporting a vulnerability, the Company will not pursue legal action against you under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or similar laws. We consider your security research conducted under this Policy to be “authorized” for purposes of applicable law.

Safe harbor does not apply to:

  • Actions that result in harm to the Company or its Customers;
  • Exfiltration, misuse, or destruction of data;
  • Extortion or threats.

4. Prohibited Activities

You must not:

  • Access, modify, copy, or exfiltrate data that does not belong to you;
  • Intentionally disrupt, degrade, or deny Service to other users;
  • Exploit a vulnerability beyond the extent necessary to demonstrate its existence;
  • Use automated scanners or brute-force tools without prior coordination;
  • Engage in phishing, spam, or social engineering of employees or users.

5. Reporting Guidelines

When reporting a vulnerability, you must provide:

  • A detailed description of the vulnerability, including affected components or endpoints;
  • Steps to reproduce the issue, including proof-of-concept code if applicable;
  • The potential security impact;
  • Your name and contact information (optional, if anonymity is desired).

Reports must be submitted to: security@devsey.com.
We will acknowledge receipt of your report within seven (7) business days.


6. Company Commitments

Upon receiving a valid vulnerability report, we will:

  • Promptly acknowledge receipt;
  • Investigate the issue in good faith;
  • Provide an estimated timeline for resolution where possible;
  • Notify you when the issue has been remediated;
  • Credit you publicly for your contribution (unless you request anonymity).

7. Out-of-Scope Vulnerabilities

The following are generally considered out of scope and will not be rewarded or remediated under this Policy:

  • Denial-of-service (DoS) or volumetric attacks;
  • Issues requiring physical access to Company systems;
  • Vulnerabilities in third-party services or libraries outside Company control;
  • Reports that are duplicative of existing known issues.

8. Legal Compliance

Nothing in this Policy permits you to violate applicable laws. You must comply with all federal, state, and local laws when conducting security research.


9. Indemnification

You agree to indemnify, defend, and hold harmless the Company from any claims, damages, liabilities, costs, or expenses (including reasonable attorneys’ fees) arising out of your failure to comply with this Policy.


10. Entire Agreement

This Policy, together with the Terms of Service and other incorporated legal documents, constitutes the entire agreement between you and the Company regarding vulnerability reporting.


11. Contact Information

For all security-related reports and inquiries, contact:
Nassau Technologies, LLC
Email: support@devsey.com