Report a vulnerability — and see how we run security.
Responsible disclosure routes through a documented channel, and the security posture a procurement team evaluates is published here, not gated behind a sales call.
Responsible disclosure
Valentra Labs welcomes good-faith security research. Report a suspected vulnerability privately to our security team and give us a reasonable opportunity to remediate before any public disclosure. We will not pursue legal action against researchers who act in good faith, avoid privacy violations and service degradation, and do not access or modify data beyond what is necessary to demonstrate an issue.
Report a suspected vulnerability to security@valentralabs.com. We acknowledge new reports within 3 business days and provide a triage assessment within 10 business days.
In scope
- valentralabs.com and its public subdomains
- The public marketing site and its form-submission pipeline
Out of scope
- Denial-of-service (DoS/DDoS) and volumetric or load testing
- Social engineering, phishing, or physical attacks against staff or facilities
- Automated scanning that degrades service for other users
- Reports from third-party software without a demonstrated, exploitable impact
Incident response & 72-hour restoration
- Incident response
- A documented incident-response process governs detection, triage, containment, and customer notification for security events.
- 72-hour restoration commitment
- We maintain a documented commitment to restore critical operations within 72 hours of a major disruption, aligned to the HHS HPH cybersecurity performance goals (NPRM, December 2024).
Security posture
Conservative, defensibly-true statements of how the platform is operated. Specific cadences are reviewed and updated as the program matures.
- Encryption in transit
- All traffic to and from the platform is encrypted in transit over TLS.
- Encryption at rest
- Data persisted by the platform is encrypted at rest by the managed database and hosting infrastructure it runs on.
- MFA enforcement
- Multi-factor authentication (MFA) is enforced for administrative access to production systems and the providers that operate them.
- Asset inventory
- We maintain an inventory of production assets and review it on a quarterly cadence.
- Vulnerability management
- Dependencies and infrastructure are monitored for known vulnerabilities, and remediation is prioritised by severity on a continuous cadence.
Machine-readable policy
Our disclosure metadata is published in the IETF RFC 9116 format at /.well-known/security.txt.