Let's Talk

Vulnerability Disclosure
Program

IQNOX welcomes contributions from responsible security researchers (“you” hereafter) as part of its vulnerability disclosure program (“VDP”). Thus, in response to your good-faith participation in the VDP, we will:

-> Not initiate legal action against you.

-> If a third party initiates legal action against you as a result of your participation in the VDP, inform such a third party of your good-faith compliance with it.

To be eligible, you must:

-> Submit reports about potential vulnerabilities via email to secops@iqnox.com with “VDP” in the subject line.
-> Describe the vulnerability, where it was discovered, and the impact to data confidentiality, integrity, or availability. This includes artificial intelligence (AI) systems where the outputs are offensive, unethical, illegal, or have otherwise adverse impacts.
-> Give a detailed description of the steps needed to reproduce the vulnerability, including either a step-by-step written narrative, a video recording, or both.
-> Agree to keep confidential any information (with the exception of Authorized Public Communications, described below) obtained while participating in the VDP.

To be eligible, you must NOT:

-> Demand compensation or insinuate that it is owed.
-> Provide (or threaten to provide) any information obtained while participating in the VDP to any third party not under any contractual or otherwise legally binding duty of confidentiality to you or your organization. The only exception to this is the Authorized Public Communications.
-> Access more data than required to confirm the vulnerability.
-> Modify or destroy any data encountered.
-> Perform social engineering, physical penetration testing, or denial of service attacks on IQNOX personnel, locations, or assets.
-> Submit vulnerability reports from automated scanning tools without evidence of exploitability.

If you comply with these requirements, IQNOX will:

-> Work with you in good faith.
-> Acknowledge receipt of your report within 72 hours.
-> Advise whether IQNOX has accepted the report, and, if so, when the vulnerability is resolved.
-> If desired, recognize you via appropriate channels (“Authorized Public Communications), including the following information (if applicable):

  1. Your name or handle
  2. Your organization
  3. General description of the vulnerability
  4. Common vulnerabilities and exposures (CVE) identifier

-> After the Authorized Public Communications, authorize and provide a revocable, royalty-free license for you to post exploit code for the specific vulnerability remediated in a public forum of your choice, provided that posting such code does not violate any third-party rights.

This vulnerability disclosure program was influenced by StackAware. For more information, visit https://vdp.stackaware.com