Vulnerability Disclosure Policy

Purpose

Vast.ai welcomes responsible security research and coordinated disclosure. This policy explains how to report potential vulnerabilities, what testers may expect from us, and the legal protections we extend without promising monetary rewards.

Vulnerability Bounty Program

While we do not guarantee monetary rewards for submissions, Vast.ai may, at its sole discretion, offer vulnerability bounties—monetary compensation—for high‑value reports. All rewards are discretionary and not guaranteed. Participation should not be driven solely by an expectation of payment.

Scope

In‑scope (highest priority)	Out‑of‑scope
vast.ai web console, REST API & billing flows Provider Daemon code (host agent) Match‑making & pricing engine Default Docker & KVM isolation on reference images GPU memory‑isolation / tenant breakout flaws	User workloads & third‑party container images Social‑engineering, physical security, or denial‑of‑service (DoS) tests Brute‑force attacks against customer passwords or MFA Any activity that violates applicable law, exports regulations, or provider Terms of Service

If you are unsure whether a target is in scope, ask first via the channels in the How to Report Section.

Safe Harbor

Research conducted in accordance with this policy is considered authorized activity. Vast.ai will not pursue civil or criminal action for accidental, good‑faith violations.
We adopt the industry "Gold‑Standard Safe Harbor" language to protect good‑faith researchers.
Safe harbor does not apply to actions on third‑party infrastructure (e.g., upstream data‑centers) that we do not control.

Rules of Engagement

Do no harm. Avoid privacy violations, service disruption, or destruction of data.
Test with your own resources. Use your own account.
Stop & report immediately if you encounter user data (PII, PHI, payment info, model checkpoints, etc.).
No spam or extortion.
Coordinate disclosure. Allow Vast.ai 90 days to remediate before public release, unless we agree to an earlier date.

Our Commitments

Action	SLA
Initial triage & severity rating	within 5 business days
Status updates	at least every 30 days
Resolution target (Critical)	≤ 30 days
Resolution target (High)	≤ 60 days

We will keep you informed and extend safe harbor.

How to Report

Email: security@vast.ai
Please include: summary, service affected, step‑by‑step reproduction, impact assessment, and any PoC code or screenshots.

Preferred Report Quality

Well‑written English reports with clear reproduction steps and minimal tools output accelerate triage. Proof‑of‑concept code is strongly encouraged.

Out‑of‑Scope Findings

Vast is not interested in theoretical or highly unlikely vulnerabilities, or findings with no demonstrable security impact. Examples of those include:

Click‑jacking with no security impact
SPF/DMARC misconfigurations of non‑vast.ai domains
Use of outdated TLS ciphers on assets not serving sensitive data
Best‑practice advice or recommendations without an exploitable vulnerability
Version enumeration, banner disclosure or verbose error messages without proven risk
Issues affecting only end-of-life or unsupported browsers/OSes
Broken-link hijacking, tabnabbing, content-spoofing/text-injection without further impact
Attacks that require physical access
"Self-XSS" or "self-DoS" where the researcher can only exploit their own account
CSRF on non-critical forms (e.g. logout)
Permissive CORS with no exploit path
CSV injection; open redirects (unless chained to a real attack)

Legal Notice

By participating, you acknowledge:

You have read and will abide by this policy.
Vast.ai may use any submitted information for vulnerability remediation.
Vast.ai reserves all rights, including modification or termination of this policy at any time. Changes will be posted at least 30 days before taking effect.

Version History

Date	Change
23 Jul 2025	Initial public release

Questions?

Email security@vast.ai with the subject [VDP Question] and we will respond within two business days.

Thank you for helping keep Vast.ai and our community secure.