Security

Security Practices And Responsible Disclosure

This page explains the current security posture for the Vereonix website, the way we handle website enquiry data, and how to report suspected vulnerabilities responsibly.

1. Scope Of This Security Page

This page covers the public Vereonix Technologies website, the associated lead-capture workflow, and the internal handling of website enquiries. It is intended to describe our current practices at a high level so prospective clients, partners, and researchers understand how we approach security for this site.

Client delivery environments, managed infrastructure projects, and consulting engagements can involve additional controls, obligations, or review materials. Those are normally defined in a signed statement of work, master services agreement, non-disclosure agreement, data processing addendum, or similar contract rather than on this public page.

2. Core Security Principles

Least-Privilege Access

We limit access to website systems, credentials, and lead data to personnel who need that access to operate or support the business.

Controlled Cloud Infrastructure

The site runs on cloud infrastructure with controlled service configuration, HTTPS termination, and operational access limited to approved administrators.

Data Minimization

We collect a narrow set of business contact and qualification fields so we can respond to enquiries without asking for unnecessary personal data.

Change Control

Application changes are made in version-controlled code so security-relevant updates can be reviewed, tested, and traced.

3. Current Controls For The Website

Application And Infrastructure

  • Public traffic is intended to be served over HTTPS through our hosting and delivery providers.
  • Secrets are expected to be provided through environment configuration rather than committed to application code.
  • Lead storage is isolated behind managed database access when database-backed capture is enabled.

Data Handling

  • We store only the enquiry fields needed to qualify and respond to inbound business requests.
  • Optional CRM forwarding is limited to configured integrations used for sales follow-up.
  • We review access to business systems and reduce access when it is no longer required.

Operational Security

  • We rely on provider logging, platform protections, and routine maintenance to detect operational issues affecting this site.
  • Dependency and application changes are updated over time as part of normal maintenance.
  • If a security issue affects the website or its supporting tools, we investigate scope, contain impact, and remediate as appropriate.

Vendor Oversight

  • We use specialist providers for hosting, analytics, database services, CRM, and scheduling instead of building those systems ourselves.
  • Vendor usage is scoped to business needs and documented in our privacy and compliance materials.
  • For customer work, additional vendor disclosures or contractual controls may be provided on request.

4. Responsible Disclosure

We welcome good-faith reports of vulnerabilities that materially affect the confidentiality, integrity, or availability of this website or the systems we use to receive enquiries. Reports should be sent to security@vereonix-technologies.com with enough detail for us to reproduce and evaluate the issue.

  • Include the affected URL, parameter, feature, or request flow.
  • Describe the impact and the steps needed to reproduce the issue.
  • Share screenshots, request samples, or logs only where necessary.
  • Give us a reasonable opportunity to investigate and remediate before public disclosure.

5. Testing Boundaries

To protect our users, customers, and providers, we ask that researchers do not perform any action that could disrupt service or expose data belonging to another person or organization.

  • No denial-of-service, stress testing, or attempts to degrade availability.
  • No social engineering, phishing, or attempts to access third-party accounts.
  • No exfiltration, alteration, or deletion of data that is not your own.
  • No automated scanning that creates excessive traffic or violates provider terms applying to the site.
  • No requests for payment tied to withholding a vulnerability report.

6. Incident Handling

When we identify or receive notice of a credible issue, we typically follow a practical response flow: triage the report, assess severity and scope, contain risk where needed, remediate the root cause, and review whether any follow-up communication or contractual notification is required.

The exact process and response time vary by severity, reproducibility, vendor dependencies, and whether the issue affects the public website only or a customer-specific delivery environment.

7. Security Reviews For Customer Engagements

Enterprise clients often need more than a public website statement. For qualified opportunities and active engagements, we can usually support security questionnaires, architecture overviews, NDA-backed document review, and project-specific discussions about access controls, data handling, or deployment scope.

Unless we explicitly confirm otherwise in writing, this page should not be interpreted as a guarantee that every client engagement uses the same control set, tooling, or hosting arrangement described here.