Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Last Updated: June 11, 2026

At Vornado, we take the security of our Connected App and related services seriously. We welcome responsible disclosure of security vulnerabilities and appreciate the efforts of security researchers who help us improve our security.

 

Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please fill in the form above:

  • A description of the issue
  • Steps to reproduce the vulnerability
  • Affected feature, component, or service
  • Any supporting evidence, such as screenshots or proof-of-concept details
  • Contact information for follow-up questions

Scope

This policy applies to the Vornado Connect App. Third-party systems and services not controlled by Vornado are outside the scope of this policy.

 

Vulnerability Severity

We generally prioritize vulnerabilities based on their potential impact, including:

Critical

  • Remote code execution
  • Unauthorized administrative access
  • Complete compromise of user accounts or systems

High

  • Authentication bypass
  • Privilege escalation
  • Significant exposure of sensitive information

Medium

  • Access control weaknesses
  • Limited data exposure
  • Security misconfigurations with moderate impact

Low

  • Information disclosure with minimal risk
  • Security best-practice issues
  • Low-impact vulnerabilities requiring unusual conditions

Research Guidelines

When testing and reporting vulnerabilities, please:

  • Act in good faith.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Do not disrupt service availability or perform denial-of-service testing.
  • Limit testing to what is necessary to demonstrate the vulnerability.
  • Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it.

Safe Harbor

We will not pursue legal action against individuals who engage in good-faith security research and comply with this policy. Activities conducted in accordance with this policy are considered authorized.

 

Our Commitment

We will:

  • Acknowledge receipt of vulnerability reports within a reasonable timeframe.
  • Investigate and validate reported issues.
  • Prioritize remediation based on risk and impact.
  • Communicate with reporters regarding the status of validated vulnerabilities, where appropriate.

Exclusions

The following generally do not qualify as security vulnerabilities unless a clear security impact is demonstrated:

  • Missing security headers
  • Version disclosure
  • Reports based solely on automated scan results
  • Low-risk configuration observations without exploitability

Thank you for helping us keep our users, devices, and services secure!

Vornado Logo

© 2026 Vornado Air, All rights reserved.

    • Amazon
    • American Express
    • Apple Pay
    • Diners Club
    • Discover
    • Google Pay
    • Mastercard
    • PayPal
    • Shop Pay
    • Visa

    Login

    Forgot your password?

    Don't have an account yet?
    Create account