Security Vulnerability Disclosure Policy

1. Our Commitment to Security

VietnamBikers Travel Company Limited (operating as "VietnamBikers") is committed to ensuring the security of our services and protecting our customers' data. We value the contributions of security researchers and the broader community in helping us maintain a secure environment.

This policy outlines how to responsibly report a potential security vulnerability to us and what you can expect from us in return.

2. Scope

In-Scope Assets:

This policy applies to all security vulnerabilities found in the following publicly accessible assets owned by our company:

• https://vietnammotorcycletours.com (our main website)
• Any subdomains of vietnammotorcycletours.com (e.g., media.vietnammotorcycletours.com)
• Our proxied domains (e.g., vietnambikers.travel, vietnambikers.tours)

Out-of-Scope Assets:

This policy does **not** apply to:

• Third-party services we use (e.g., TripAdvisor, Google Maps, Facebook, BunnyCDN). Vulnerabilities in these services should be reported directly to them.
• Denial of Service (DoS or DDoS) attacks.
• Social engineering (e.g., phishing) of our staff or customers.
• Physical attacks against our property or data centers.

3. How to Report a Vulnerability

If you believe you have found a security vulnerability in one of our in-scope assets, please notify us immediately by sending an email to:

[email protected]

Please include the following information in your report:

• A clear description of the vulnerability and its potential impact.
• Detailed steps to reproduce the vulnerability, including any URLs or screenshots.
• Your contact information (name and email) for follow-up.

4. Our "Safe Harbor" Promise

We will not pursue legal action against researchers who report vulnerabilities, provided they adhere to this policy and:

• Do not access, modify, or delete any customer or company data.
• Do not disrupt our services (e.g., perform DoS attacks).
• Make a good faith effort to avoid privacy violations.
• Give us a reasonable amount of time to fix the issue before making any information public.

5. What to Expect from Us

We are committed to being responsive and fair:

• We will do our best to acknowledge receipt of your report (e.g., within 3-5 business days).
• We will investigate the issue and notify you of our findings.
• We will work to remediate the vulnerability in a timely manner.
• With your permission, we will publicly thank you for your contribution on our Security Acknowledgements page.