Security
Security / Vulnerability Disclosure Policy
This policy gives people a safe channel to report security issues and describes the rules for responsible testing.
Service Provider / Data Controller
For GDPR purposes, MORARU ANDREI-DANIEL PERSOANĂ FIZICĂ AUTORIZATĂ is the data controller for account, payment, support, and website-related personal data.
- Legal name
- MORARU ANDREI-DANIEL PERSOANĂ FIZICĂ AUTORIZATĂ
- Legal form
- Authorised Natural Person (Romanian PFA)
- Trade Register no.
- F2026025353008
- CUI/CIF
- 54681475
- Professional headquarters
- Bucureşti Sectorul 1, Bulevardul Bucureştii Noi, Nr. 136, Etaj PARTER, Ap. 5
- [email protected]
- Website
- https://nologvpn.org
Where to Report
Send security reports to [email protected] with the subject Security Report - NoLogVPN.
Recommended Scope
• the public NoLogVPN website
• the account dashboard and authentication flows
• the public API used by the application
• device provisioning and WireGuard configuration flows
Responsible Testing Rules
• do not access, modify, delete, or expose other users' data
• do not disrupt the service or run volume, spam, or denial-of-service testing
• do not attempt social engineering, phishing, physical attacks, or attacks against third-party providers
• stop testing and report immediately if you encounter sensitive data
• do not publish vulnerability details until NoLogVPN has reasonable time to fix the issue
What to Include
• a description of the vulnerability and likely impact
• reproduction steps, URLs, and the test account used
• redacted screenshots or logs without secrets or other users' data
• your contact details for clarification questions
Limits
NoLogVPN does not currently operate a public bug bounty program. Responsible reporting does not authorize access to data that is not yours, service disruption, or violation of applicable law.