Lessons from YouMeSushi’s growth strategy Watch now

Responsible Disclosure Program

At Vita Mojo, we take the security of our platform and the protection of our customers’ data seriously. We maintain an active security testing programme with accredited partners and welcome responsible security research from the wider community.

If you believe you have discovered a security vulnerability in our platform, we encourage you to report it to us responsibly. We are committed to working with security researchers to verify and address legitimate findings.

Scope

We are particularly interested in vulnerabilities related to:

  1. Payments fraud or payment flow manipulation
  2. Loyalty programme abuse
  3. Authentication and authorisation bypass
  4. Personally identifiable information exposure or abuse
  5. API security weaknesses in publicly accessible endpoints

Testing must be conducted against publicly discoverable resources only. We do not provide access to staging environments, test accounts, API documentation, or any other internal resources. All endpoints and attack surfaces must be independently discovered by the researcher.

Severity Levels

Critical

Vulnerabilities that could lead to significant financial loss, large-scale data breach, or complete system compromise.

  • Remote code execution allowing unauthorised access to payment data
  • Injection vulnerability exposing customer databases including payment information

High

Vulnerabilities that could lead to partial system compromise, moderate financial loss, or unauthorised access to sensitive data.

  • Authentication bypass allowing unauthorised order placement or modification
  • Vulnerability enabling manipulation of loyalty balances across multiple accounts

Medium

Vulnerabilities that may lead to limited unauthorised access or moderate impact on system integrity.

  • Cross-site scripting (XSS) in customer-facing interfaces
  • Insecure direct object references allowing access to other users’ order details

Low

Vulnerabilities with minimal impact on system security or user data.

  • Information disclosure of non-sensitive system information (e.g., software versions)
  • Clickjacking on non-critical pages

Recognition

We do not offer monetary rewards. Instead, we recognise the contributions of security researchers who help us improve our platform:

  • Security Researcher Hall of Fame: Confirmed, unique, and responsibly disclosed vulnerabilities will be acknowledged on our Hall of Fame page (published with the researcher’s consent). Recognition is at Vita Mojo’s sole discretion and is based on severity, impact, and report quality.
  • Written acknowledgement: We will provide a formal letter of acknowledgement upon request, which researchers may use for professional purposes.
  • CVE coordination: For qualifying vulnerabilities, we will work with researchers on responsible CVE disclosure where appropriate.

In the event of duplicate reports, recognition is given to the first researcher to submit the finding.

Submission Process

  • Report vulnerabilities via email to: [email protected]
  • Include a clear description of the vulnerability, steps to reproduce, affected endpoints, and potential impact
  • Include your preferred name or handle for Hall of Fame recognition
  • Do not include any customer data samples — a description of the data type is sufficient

Response Timeline

  • Initial acknowledgement: Within 3 business days
  • Vulnerability triage: Within 10 business days
  • Resolution timeline: Communicated after triage, based on severity
  • Hall of Fame update: After the vulnerability has been verified and resolved

Rules of Engagement

  • All testing must be conducted against publicly accessible surfaces only
  • No automated scanning or mass enumeration tools – manual, targeted testing only
  • Do not attempt to access, modify, or exfiltrate customer data
  • Do not perform denial-of-service testing
  • Do not use social engineering against Vita Mojo staff or customers
  • Do not test physical security
  • Report vulnerabilities promptly and directly. Do not disclose publicly until the issue is resolved
  • One vulnerability per report

Out of Scope

The following are not eligible for recognition:

  • Findings from automated scanners submitted without manual validation
  • Vulnerabilities in third-party services or integrations not operated by Vita Mojo
  • Missing security headers without a demonstrated exploit
  • SSL/TLS configuration issues without a demonstrated attack
  • Clickjacking on pages with no sensitive actions
  • Rate limiting or brute force issues on non-authentication endpoints
  • Best practice recommendations without a concrete vulnerability
  • Reports generated entirely by AI/automated tools without researcher verification and contextual analysis

Safe Harbour

We will not pursue legal action against researchers who conduct security research in good faith and in compliance with this programme. If our guidelines are not adhered to, we reserve the right to pursue legal action.

Good faith means:

  • You followed the rules of engagement outlined above
  • You reported the vulnerability to us before disclosing it to anyone else
  • You did not access or attempt to access customer data beyond what was necessary to demonstrate the vulnerability
  • You stopped testing once you confirmed the vulnerability

Contact

Email: [email protected]