Responsible Disclosure

From Exploit to Disclosure (The Reformed Hacker Way)

As ex-blackhats, we respect researchers who find vulnerabilities responsibly. IASECURITY believes in coordinated disclosure - we've been on both sides of 0-days and know the right way to handle them.

Bug Bounty Program (We Pay for Exploits)

Turn your skills into legitimate income. We offer rewards for valid security findings:

Reward Tiers (Payout Structure)

• Critical (RCE, SQLi, Auth Bypass): $2,000 - $10,000
• High (XSS, CSRF, Privilege Escalation): $500 - $2,000
• Medium (Information Disclosure, DoS): $100 - $500
• Low (Minor Issues, Misconfigurations): $50 - $100

Bonus Multipliers (Advanced Exploitation)

• 0-Day Discovery: 2x multiplier for previously unknown vulnerabilities
• Exploit Chain: +50% for chaining multiple vulnerabilities
• Working PoC: +25% for functional proof-of-concept code
• Production Impact: +100% if exploitable on live systems

Scope and Rules of Engagement

In-Scope Targets

• Primary Domain: *.ia-security.io and all subdomains
• Web Applications: Client portals, API endpoints, admin panels
• Mobile Applications: IASECURITY mobile apps (iOS/Android)
• Infrastructure: Mail servers, DNS, CDN configurations

Prohibited Activities (Don't Cross These Lines)

• No Data Exfiltration: Don't download or access customer data
• No DoS Attacks: Automated scanners limited to 10 requests/second
• No Social Engineering: Don't target our employees or customers
• No Physical Attacks: This is digital-only hunting
• No Public Disclosure: Report to us first, not Twitter/blogs

How to Submit a Finding (Secure Channels)

Preferred Submission Methods

• Encrypted Email: security@ia-security.io (PGP key available)
• HackerOne Platform: hackerone.com/iasecurity (coming soon)
• Signal Messenger: +1 (856) 252-0558 (for critical findings)
• Tor Hidden Service: ia-sec-disclosures.onion (ask for address)

Required Information (Quality Reports)

• Vulnerability Summary: Clear description of the security issue
• Affected Systems: Specific URLs, endpoints, or applications
• Reproduction Steps: Detailed PoC with screenshots/video
• Impact Assessment: Real-world exploitation scenarios
• Suggested Fix: Recommendations for remediation

Response Timeline (Our SLA)

• Initial Response: Within 24 hours of submission
• Triage Assessment: 72 hours for severity classification
• Status Updates: Weekly progress reports on complex issues
• Resolution Target: 90 days maximum for critical vulnerabilities
• Public Disclosure: 90 days after fix deployment (negotiable)

Legal Protection (Safe Harbor)

We won't sue you for hacking us (if you follow the rules):

• DMCA Protection: Authorized testing under safe harbor provisions
• No Criminal Charges: We won't involve law enforcement for authorized research
• Good Faith Immunity: Acting in good faith = legal protection
• Coordinated Disclosure: Work with us, not against us

Hall of Fame (Elite Researchers)

Recognition for researchers who help make IASECURITY more secure:

• Public Recognition: Listed on our website (with permission)
• Security Swag: IASECURITY branded merchandise
• Conference Invites: VIP access to security events we sponsor
• Job Opportunities: Fast-track to our red team positions

Contact Our Security Team

Ready to report a vulnerability? Need clarification on scope? Our security team (ex-blackhats) is standing by: