vivid SOFTWARE SOLUTIONS
Client portal Book a consultation

Trust

Security

How Vivid Software Solutions approaches security of our website, our internal operations and our client engagements, and how to report a vulnerability.

Last updated: 7 May 2026

Reporting a vulnerability

If you believe you have found a security issue on this website or in services we operate, please contact us at security@vividsoftwares.com.au. A machine-readable contact is also published at /.well-known/security.txt in line with RFC 9116.

We ask researchers to:

  • Avoid privacy violations, denial of service, and any tests that affect users or systems beyond what is necessary to demonstrate the issue.
  • Provide enough information for us to reproduce the issue.
  • Give us a reasonable opportunity to remediate before public disclosure.

We do not currently operate a paid bug bounty programme. We thank researchers who report responsibly and will, with your permission, acknowledge contributors after remediation.

Website security baseline

  • HTTPS-only with HSTS, valid TLS certificates managed by Cloudflare.
  • Security headers including Content-Security-Policy, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
  • Cloudflare WAF and bot management in front of origin.
  • Cloudflare Turnstile on user-submitted forms.
  • No third-party tracking scripts beyond optional, disclosed analytics.

Operational security

  • Phishing-resistant MFA on all administrative accounts.
  • Privileged Identity Management for elevated roles.
  • Managed devices with disk encryption and modern endpoint protection.
  • Least-privilege access to client environments, scoped per engagement.
  • Secrets stored in audited vaults; we do not commit secrets to source control.
  • Backups for our own systems with periodic restore drills.

Engagement security

For client engagements we typically:

  • Sign mutual non-disclosure agreements where appropriate.
  • Use named accounts in your tenant or environment, with audit logs available to you.
  • Document changes via change records or pull requests so you have an auditable trail.
  • Hand back administrative access and remove our accounts on engagement closure.

Disclosure

Coordinated disclosure is appreciated. Where appropriate, we publish advisories or timeline notes after remediation. Aggregated incident statistics may be published from time to time.

Contact

Security: security@vividsoftwares.com.au
PGP keys are available on request.