Vulnerability Disclosure Policy

We take security seriously and value the input of security-conscious individuals who help keep Our community safe. If You believe you've discovered a security issue within Our platform, We urge You to report it promptly. We commit to investigating every submission and will work closely with You to validate and remediate confirmed vulnerabilities. We kindly ask that You keep this information confidential until the issue is resolved, to protect Our community.

Policy Scope

This policy is applicable across all websites and services managed by us. If you're uncertain about the scope of the vulnerability you’ve found, please adhere to the guidelines herein.

Conducting Vulnerability Research

You are welcome to conduct responsible security testing on Our services for which You have authorized access. However, Your research must not:

  1. Violate any laws.
  2. Modify or delete data that doesn't belong to you.
  3. Access or attempt to access unauthorized data.
  4. Execute denial-of-service attacks.
  5. Perform load testing.

Exceptions may be considered after initial reporting, at the discretion of Our security team.

Reporting Guidelines

To report an issue, please email Your findings to security@ideanote.io with the following details:

  • Target: Specify where the vulnerability exists (e.g., main website, cloud service, etc.)
  • Type: Classify the vulnerability (e.g., DoS, authentication bypass, etc.)
  • Description: Provide a thorough explanation including steps to reproduce and any assumptions made.
  • URL / Location: (Optional) The exact URL where the vulnerability was found.
  • Contact Information: (Optional) Alternative channels for reaching you.

Please note, We do not currently support GPG encryption. Expect an acknowledgment within 48 hours, and a detailed follow-up within three business days.

Valid Disclosures

Please refrain from submitting reports related to:

  • Known public files or directories.
  • Lockout policies during DoS attacks.
  • Suggestions on DNS and email configurations.
  • Phishing or social engineering.
  • iFrame embeds, X-Frame Options, Click-Jacking
  • Security flags on non-sensitive cookies.

Disclosure Timeline

For valid disclosures Our security team will:

  1. Acknowledge Your submission.
  2. Attempt to verify and assess the impact of the report.
  3. Confirm or reject the issue, including rationale.
  4. Audit relevant code for similar vulnerabilities.
  5. Prepare fixes.
  6. Publish a security advisory once mitigations are ready.

Compensation

While We do not offer monetary rewards for vulnerability reporting at this time, We may consider compensating You for certain research costs after confirming Your report, subject to prior written approval.

We look forward to Your cooperation and thank You for helping Us maintain a secure environment for everyone.