Security
Last updated: 9 May 2026.
Verusum builds verification infrastructure for the EU Carbon Border Adjustment Mechanism. Audit defensibility is the load-bearing property of the platform; security posture is the load-bearing input.
Reporting a vulnerability
Send vulnerability reports to security@verusum.com. Reports should describe the vulnerability, the affected surface (verusum.com, vsmcodex.org, or the Verusum commercial platform once deployments exist), reproduction steps, and any context on impact. Do not test against systems other than your own without explicit authorisation.
Response timeline
— Acknowledgement within 48 hours of receipt.
— Initial triage within 5 business days.
— Coordinated disclosure within 90 days of acknowledgement, unless the reporter and Verusum agree otherwise.
Scope
In scope: verusum.com, vsmcodex.org, and once they ship, the Verusum commercial platform deployments. The vsmcodex.org open-source security policy is published separately at vsmcodex.org/security →. Out of scope: third-party services not operated by Verusum (Framer, Cloudflare, Google Workspace — report directly to those providers).
Coordinated disclosure
Verusum operates a coordinated-disclosure model. Reporters are asked to delay public disclosure until a fix is available or 90 days after acknowledgement, whichever is sooner. Verusum will not pursue legal action against reporters acting in good faith under this policy.
Safe harbour
Security research conducted in good faith, against systems within the scope above, in accordance with the timing and disclosure terms here, is authorised by Verusum and protected from legal action under the safe-harbor terms of this policy.
Data residency
Verusum commercial platform deployments will be EU-hosted by default, with regional residency options available for specific jurisdictions where local procurement requirements warrant. The static institutional site at verusum.com is hosted via Framer's CDN; verifier and exporter platform tenants will be deployed under explicit data-residency commitments at MoU signing.
Encryption posture
Transit: TLS 1.3 with HSTS preload. At rest: AES-256 across all primary stores and backups. Customer-managed keys (CMK) under tenant control are part of the Enterprise procurement scope.
Audit log integrity
The Verusum commercial platform maintains audit-log integrity through immutable append-only records, cryptographic timestamping, and signed attestations consistent with regulator-aligned audit-trail conventions. Workflow state transitions are queryable and survive personnel turnover.
Vulnerability disclosure file
The machine-readable disclosure point is at verusum.com/.well-known/security.txt per RFC 9116.
