Skip to content
Security

Report a vulnerability — and see how we run security.

Responsible disclosure routes through a documented channel, and the security posture a procurement team evaluates is published here, not gated behind a sales call.

Responsible disclosure

Valentra Labs welcomes good-faith security research. Report a suspected vulnerability privately to our security team and give us a reasonable opportunity to remediate before any public disclosure. We will not pursue legal action against researchers who act in good faith, avoid privacy violations and service degradation, and do not access or modify data beyond what is necessary to demonstrate an issue.

Report a suspected vulnerability to security@valentralabs.com. We acknowledge new reports within 3 business days and provide a triage assessment within 10 business days.

In scope

  • valentralabs.com and its public subdomains
  • The public marketing site and its form-submission pipeline

Out of scope

  • Denial-of-service (DoS/DDoS) and volumetric or load testing
  • Social engineering, phishing, or physical attacks against staff or facilities
  • Automated scanning that degrades service for other users
  • Reports from third-party software without a demonstrated, exploitable impact

Incident response & 72-hour restoration

Incident response
A documented incident-response process governs detection, triage, containment, and customer notification for security events.
72-hour restoration commitment
We maintain a documented commitment to restore critical operations within 72 hours of a major disruption, aligned to the HHS HPH cybersecurity performance goals (NPRM, December 2024).

Security posture

Conservative, defensibly-true statements of how the platform is operated. Specific cadences are reviewed and updated as the program matures.

Encryption in transit
All traffic to and from the platform is encrypted in transit over TLS.
Encryption at rest
Data persisted by the platform is encrypted at rest by the managed database and hosting infrastructure it runs on.
MFA enforcement
Multi-factor authentication (MFA) is enforced for administrative access to production systems and the providers that operate them.
Asset inventory
We maintain an inventory of production assets and review it on a quarterly cadence.
Vulnerability management
Dependencies and infrastructure are monitored for known vulnerabilities, and remediation is prioritised by severity on a continuous cadence.

Machine-readable policy

Our disclosure metadata is published in the IETF RFC 9116 format at /.well-known/security.txt.