Security vulnerability reporting guidelines

In the interest of coordinated disclosure, please report security vulnerabilities with any Vivid product or service to before disclosing them publicly.

We strongly encourage you to use PGP or GPG in combination with the following PGP key to protect our sensitive communications. Be sure to validate the PGP key to your satisfaction before trusting and using it. We also encourage you to check our PGP signature on email and documents to authenticate that they were indeed written by us and have not been altered.

Download the Vivid Inc. PGP key
This key has been submitted to the MIT PGP Public Key Server.

Please supply as much information as possible and necessary for us to independently diagnose and remediate the vulnerability. We do not forward to third parties your reports, or any information that identifies you, your organization, or your IT systems and configuration.

Vivid investigates all reports. Vulnerability reports are read by a restricted and carefully chosen set of Vivid personnel. Undisclosed security vulnerability information is not normally made available to people outside of this group and the reporter. After privately receiving a vulnerability report, the Vivid security team works privately with the reporter to resolve the vulnerability. A new release is made of the related products and services that include the fix, after which the vulnerability is publicly announced.

Note: This and other security-oriented documents are updated as necessary on a continuing basis. These documents together with offering-specific security documents and supplemental notices at points of collection comprise the overall security stance of Vivid Inc. and its offerings. Future readings of the overall security stance represent the best information available at those given points in time.