Skip to main content
IDevSec LogoIDevSec
SECURITY // RESPONSIBLE_DISCLOSURE

Responsible
Disclosure.

IDevSec builds infrastructure and platforms used by security practitioners. We take the integrity of our systems seriously. If you find a vulnerability, we want to hear from you directly, privately, and without delay.

48H
INITIAL_RESPONSE
7D
TRIAGE_WINDOW
30D
PATCH_TARGET
01 / SCOPE

What is in Scope?

  • idevsec.com and all subdomains
  • IDevSec-operated SaaS platforms and APIs (including PwnConnect)
  • Authentication and authorisation mechanisms
  • Data exposure, injection, and access-control vulnerabilities
  • Infrastructure misconfigurations with demonstrable security impact
  • Third-party integrations we own and operate
02 / EXCLUSIONS

What is Out of Scope?

  • Denial of service or volumetric attacks against infrastructure
  • Social engineering of IDevSec personnel or users
  • Physical security attacks
  • Vulnerabilities in third-party libraries outside IDevSec control
  • Findings from automated scanners without demonstrated impact
  • Issues already publicly disclosed or reported by another researcher
03 / REPORTING

How to Report a Finding?

Send all vulnerability reports to our security team. Include a clear description, reproduction steps, proof-of-concept (if safe), and your assessment of impact and severity.

security@idevsec.com

Do not use public channels, GitHub issues, social media, or forums, to disclose security vulnerabilities before coordination.

04 / PROCESS

What to Expect After Reporting?

  1. 01
    ACKNOWLEDGEMENT

    You will receive a confirmation within 48 hours that your report has been received and is under review.

  2. 02
    TRIAGE

    Our security team will validate the report, reproduce the issue, and assign a severity rating within 7 business days.

  3. 03

    Confirmed vulnerabilities target patching within 30 days. Systemic issues may require extended timelines; communications remain transparent.

  4. 04
    DISCLOSURE

    We support coordinated disclosure. Once patched, we will notify you and, with your agreement, acknowledge your contribution publicly.

05 / LEGAL

How does Safe Harbour apply?

IDevSec will not pursue civil or criminal action against researchers who discover and report security vulnerabilities in good faith, in accordance with this policy.

Good-faith research means: you do not access, modify, or destroy data beyond what is necessary to demonstrate the vulnerability; you do not disrupt our services; you report promptly and do not exploit the issue for personal gain.

This policy applies to IDevSec-operated systems only. We cannot grant authorisation for third-party systems we do not own.

06 / RECOGNITION

How is Research Recognized?

We do not currently operate a paid bug bounty programme. Researchers who responsibly disclose valid, high-impact vulnerabilities will be featured in the IDevSec Hall of Fame, permanently credited on this platform, with their consent.

HALL_OF_FAME // SECURITY_RESEARCHERS

Valid, high-impact disclosures earn a permanent listing on our security researcher hall of fame // includes name, handle, and finding category, recognised publicly at your discretion.

Exceptional contributions may additionally receive access to IDevSec platforms, practitioner resources, or direct engagement with the founding team.

LAST_UPDATED: 2026 // v1.0
IDEVSEC_SECURITY_POLICY // ALL_RIGHTS_RESERVED
terminalPRODUCTSsecurityCONSULTINGinfoABOUTworkCAREERSsendCONTACT