Responsible Security Disclosure Policy
Helping us protect our clients and systems through coordinated vulnerability disclosure
Last Updated: November 13, 2025Our Security Commitment
INNOLAB is committed to protecting the security and privacy of our clients' data and systems. We recognize that security researchers and ethical hackers play a vital role in helping organizations identify and remediate vulnerabilities. We welcome responsible disclosure of security vulnerabilities and are committed to working with the security community to protect our users and systems.
1. Scope and Coverage
1.1 In-Scope Systems and Services
Our responsible disclosure policy covers the following systems and services:
- Public-Facing Web Applications: All INNOLAB-owned websites and web applications accessible from the internet
- Client Portal Systems: Customer-facing portals and self-service applications
- API Endpoints: Publicly accessible API services and integrations
- Mobile Applications: INNOLAB-developed mobile apps (iOS, Android)
- Cloud Infrastructure: INNOLAB-managed cloud services and configurations
- Internal Systems: Systems directly managed by INNOLAB for service delivery
1.2 Out-of-Scope Systems
The following are NOT covered under this policy:
- Client-owned or client-managed systems (unless we have explicit authorization)
- Third-party platforms we use but don't control (e.g., Salesforce.com, HubSpot, AWS managed services)
- Social engineering attacks targeting INNOLAB employees
- Physical security testing of INNOLAB offices or facilities
- Testing that disrupts services or degrades user experience
1.3 Vulnerability Types We're Interested In
We particularly value reports about:
2. Responsible Disclosure Guidelines
To qualify for our responsible disclosure program, researchers must:
2.1 Do's - Acceptable Research Activities
- Make every effort to avoid privacy violations, data destruction, or service degradation
- Use only test accounts you have created or been provided for testing
- Only interact with accounts you own or have explicit permission to access
- Report vulnerabilities as soon as they are discovered
- Provide sufficient information to reproduce the issue
- Keep vulnerabilities confidential until we've had reasonable time to address them
- Act in good faith and avoid violating privacy, damaging systems, or interrupting services
2.2 Don'ts - Prohibited Activities
- DO NOT access, modify, or delete data that doesn't belong to you
- DO NOT perform testing that could degrade or deny service to legitimate users
- DO NOT execute social engineering attacks (phishing, vishing, etc.)
- DO NOT perform physical security testing of facilities
- DO NOT use automated vulnerability scanners without prior approval
- DO NOT publicly disclose vulnerabilities before we've had time to fix them (90-day disclosure window)
- DO NOT demand payment or extort INNOLAB in exchange for vulnerability information
2.3 Safe Harbor and Legal Protection
Legal Safe Harbor: If you follow these guidelines, INNOLAB will not initiate legal action against you for security research activities. We consider good-faith security research conducted according to this policy as authorized testing under New Zealand law. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make this policy known to that third party.
3. How to Report a Vulnerability
3.1 Reporting Channels
Please report security vulnerabilities through one of the following secure channels:
Security Response Team
Email: [email protected]
Phone: +64 22 098 0517 (for urgent/critical issues only)
PGP Key: Download PGP Public Key (for encrypted communication)
Important: Please include "[SECURITY]" in the email subject line. For highly sensitive issues, use PGP encryption.
3.2 Information to Include in Your Report
To help us triage and address the vulnerability quickly, please include:
- Vulnerability Description: Clear description of the issue and its potential impact
- Steps to Reproduce: Detailed step-by-step instructions to reproduce the vulnerability
- Proof of Concept: Screenshots, videos, or code demonstrating the issue
- Affected Systems: URLs, API endpoints, or system components affected
- Severity Assessment: Your assessment of the issue's severity (Critical/High/Medium/Low)
- Discovery Date: When you first discovered the vulnerability
- Your Contact Information: Name, email, and (optionally) company/affiliation
- Disclosure Preference: Whether you'd like public acknowledgment (if resolved)
3.3 Report Template
Subject: [SECURITY] Brief Description of Vulnerability
1. Summary:
[Brief description of the vulnerability]
2. Severity: [Critical/High/Medium/Low]
3. Affected System:
[URL or system identifier]
4. Steps to Reproduce:
1. [Step 1]
2. [Step 2]
3. [Step 3]
5. Impact:
[What can an attacker do with this vulnerability?]
6. Proof of Concept:
[Code, screenshots, or demonstration]
7. Mitigation Recommendations:
[Your suggestions for fixing the issue]
8. Your Information:
Name: [Your Name]
Email: [Your Email]
Disclosure: [Public acknowledgment: Yes/No/Anonymous]
4. Response Process and Timeline
Flexible Response Framework: INNOLAB will respond to vulnerability reports in a timely manner appropriate to the severity and complexity of the issue. Response and resolution timelines will vary based on severity assessment, technical complexity, resource availability, and third-party dependencies. We aim to provide regular updates and will work with reporters to establish reasonable timelines for resolution and disclosure.
4.1 Our Response Commitment
| Phase | Typical Timeframe | Actions |
|---|---|---|
| Initial Response | Within 5 business days | Acknowledge receipt, assign case number, confirm in-scope |
| Triage | As required | Verify vulnerability, assess severity, prioritize remediation |
| Status Updates | As appropriate | Provide progress updates on remediation efforts |
| Remediation | Based on severity and complexity | Develop, test, and deploy fix |
| Resolution | After fix deployment | Notify reporter, request verification, coordinate disclosure |
4.2 Indicative Remediation Timelines
The following timelines are indicative and may vary based on the specific circumstances of each vulnerability. We will work collaboratively with reporters to establish mutually agreed timelines for complex issues.
| Severity | Typical Resolution Goal | Suggested Disclosure Window |
|---|---|---|
| Critical | As soon as possible | Coordinated with INNOLAB |
| High | Priority remediation | Coordinated with INNOLAB |
| Medium | Scheduled remediation | Coordinated with INNOLAB |
| Low | Standard remediation | Coordinated with INNOLAB |
4.3 Severity Rating Criteria
Critical: Remote code execution, SQL injection with data exfiltration, authentication bypass affecting all users, mass data breach
High: XSS with session hijacking, privilege escalation, significant data exposure, CSRF affecting sensitive operations
Medium: XSS without session impact, information disclosure, CSRF on non-critical functions, misconfiguration with limited impact
Low: Descriptive error messages, minor information leakage, cosmetic security issues
5. Coordinated Disclosure and Public Recognition
5.1 Disclosure Timeline
We request that researchers allow us a reasonable time to investigate and remediate vulnerabilities before public disclosure. Our standard disclosure window is 90 days from initial report, though we aim to resolve issues much faster based on severity (see Section 4.2).
We will coordinate with you on the timing and content of public disclosure. If we are unable to fix the vulnerability within the agreed timeframe, we will work with you to determine an appropriate course of action, which may include:
- Implementing temporary mitigations or workarounds
- Issuing security advisories to affected customers
- Agreeing on a revised disclosure timeline
- Coordinating limited public disclosure with mitigation guidance
5.2 Public Recognition
With your permission, we will publicly acknowledge your contribution to INNOLAB's security in the following ways:
- Security Hall of Fame: Listed on this page with your name/handle and vulnerability summary
- Social Media: Recognition via INNOLAB's official social media channels
- CVE Credit: Credit in CVE records (if applicable)
- Thank You Letter: Official letter of appreciation for professional reference
You may choose to remain anonymous or use a pseudonym for public acknowledgment.
6. Recognition and Incentives
Recognition is not guaranteed or obligatory, and will be extended based on the significance of the contribution and at INNOLAB’s full discretion.
7. Security Hall of Fame
We recognize security researchers who helped improve INNOLAB's security through responsible disclosure.
alienx369
Ashik Mohamed
Sahaj Gautam
8. Contact Information
For questions about this policy, security inquiries, or vulnerability reports, please contact:
INNOLAB - Security Team
Address: Auckland, New Zealand
Security Email: [email protected]
Phone: +64 22 098 0517 (Urgent issues only)
Website: innolab.co.nz
For non-security inquiries, please visit our contact page or check our Privacy Policy.
Policy Updates
We may update this Responsible Disclosure Policy from time to time to reflect changes in our processes, legal requirements, or best practices. Material changes will be communicated via email to researchers who have previously submitted reports. Continued participation in our program after changes constitutes acceptance of the updated policy.