SECURITY · LAST UPDATED 2026-06-07
Security Disclosures
Vencer Group operates managed security for clients across Canada and internationally. We take vulnerability reports seriously, respond quickly, and treat researchers with respect.
Our security posture
Vencer Group has operated 11 years without a client breach. That's not luck. It's the result of:
- Multi-tenant isolation - no client data shares a tenant with another client's
- Vendor-grade EDR on every endpoint we manage (Gartner Leaders Quadrant only)
- 24/7 NOC/SOC monitoring out of Calgary and Singapore
- Quarterly Technology Business Reviews with documented control attestation
- Annual penetration testing and tabletop exercises
- Zero-trust network architecture as default
- Documented incident response runbooks (Premier tier)
Vulnerability disclosure
If you've discovered a security vulnerability in Vencer Group's public website, infrastructure, or services, please report it to us before disclosing publicly. We respond to all reports within 5 business days.
How to report
- Email: security@vencergroup.com
- PGP key: available on request
- RFC 9116 advisory: /.well-known/security.txt
What to include
- A clear description of the vulnerability
- Steps to reproduce
- The potential impact you've identified
- Your preferred name/handle for acknowledgment (or anonymous if you prefer)
What you can expect from us
- Acknowledgment of receipt within 5 business days
- An initial assessment within 10 business days
- Regular status updates while we investigate and remediate
- Public acknowledgment after remediation (if you wish)
- No legal action against good-faith researchers following this policy
Scope
In scope:
- vencergroup.com and all subdomains
- Public-facing infrastructure
- Any product or service Vencer Group operates publicly
Out of scope:
- Client-specific systems Vencer Group manages on behalf of clients (those reports go through the client's incident response process)
- Third-party services we use (Google, HubSpot, Cloudflare, etc.) - report to the vendor directly
- Findings that require physical access or social engineering
- Denial-of-service testing
- Spam, brute-force, or rate-limit findings
Bug bounty
Vencer Group does not currently operate a paid bug bounty program. However, we recognize researchers who report responsibly and we may issue acknowledgments, references, or small thank-you gestures at our discretion.
Safe harbor
We will not pursue legal action against researchers who:
- Act in good faith
- Avoid privacy violations, destruction of data, and interruption of service
- Do not exploit findings beyond what is necessary to demonstrate the issue
- Provide us reasonable time to remediate before public disclosure
- Follow the disclosure process above
Acknowledgments
We credit researchers who report valid security issues in good faith and follow responsible disclosure. If you would like to be acknowledged publicly for a report, tell us in your initial email and we will add you here after remediation.
No public acknowledgments at this time.