If you discover a security vulnerability in Vertex AI, please report it responsibly via GitHub’s security advisory system:
Submit your report here:
To help us assess and address the issue quickly, please include:
- A clear summary of the suspected vulnerability
- Detailed explanation of the vulnerability’s impact and scope
- Proof of Concept (PoC) demonstrating the vulnerability (code samples are required; videos optional)
- PoC must show how sensitive data or functionality can be compromised; trivial UI alerts are not considered vulnerabilities
- Impact assessment (who and what is affected)
You may optionally include an estimated CVSS 3.1 score; we will review and adjust as needed. We will handle CVE requests internally.
- We commit to responding within 72 hours of your report.
- Verified vulnerabilities will be patched promptly, typically within a few days depending on complexity.
- We follow a coordinated disclosure process: patches are released first, followed by a public advisory after a waiting period (2 to 8 weeks based on severity).
- Please coordinate with us before any public disclosure to avoid premature information release.
- Vulnerability submission via GitHub Advisory
- Internal tracking and communication with reporter
- Validation and impact assessment
- Patch development and testing (with reporter collaboration if applicable)
- CVE request and advisory preparation
- Patch release with initial notification
- Coordinated public disclosure after mandatory waiting period
- We only accept security reports through GitHub’s security advisory system.
- If you cannot use GitHub, email us at info@refine.dev to open a security ticket; note that private collaboration may be limited without a GitHub account.
- We do not accept vulnerability reports via:
- huntr.dev or other third-party platforms
- Direct messages to team members (Discord, Slack, email)
- Public forums such as Stack Overflow
Currently, Vertex AI does not offer bug bounties, swag, or monetary rewards for vulnerability reports.