Security
Vulnerability Disclosure Policy
Last updated: 4 June 2026
Intrudify welcomes reports of security vulnerabilities in our systems from the security research community. This policy explains how to report a vulnerability to us, what you can expect from us, and the conditions under which we will not pursue legal action against good-faith research.
1. How to report
- Email: [email protected]
- Machine-readable contact: https://intrudify.com/.well-known/security.txt (RFC 9116)
Please include a description of the vulnerability, the affected URL/endpoint or component, steps to reproduce (proof-of-concept), and the potential impact. Encrypted email is available on request.
Please do not include third-party data or our customers' data in your report. If you encounter such data, stop and tell us immediately.
2. Our commitment to you
When you submit a report in good faith:
- We will acknowledge receipt within 48 hours (business hours, en/ro).
- We will provide an initial assessment and triage outcome, and keep you informed of remediation progress for valid findings.
- We will handle your report confidentially and will not share your details with third parties without your consent, except as required by law.
- We will credit you (with your permission) once a fix is deployed. A public acknowledgments page may be published at a later date.
Intrudify does not currently operate a paid bug-bounty programme. Reports are handled on a responsible-disclosure basis.
3. Scope
In scope: intrudify.com and its application subdomains, and the Intrudify SaaS platform that we operate.
Out of scope (do not test):
- Customer environments, customer-supplied targets, or any system you scanned through the Intrudify product. Findings about a customer's own assets must go to that customer, not to Intrudify.
- Denial-of-service (DoS/DDoS), volumetric, or load/stress testing.
- Social engineering, phishing of staff or customers, and physical attacks.
- Automated scanning that degrades service availability.
- Reports from automated tools without a demonstrated, exploitable impact.
4. Safe harbour (good-faith research)
If you make a good-faith effort to comply with this policy during your research, Intrudify will:
- not initiate or recommend legal action against you for accidental, good-faith violations of this policy;
- consider your research to be authorised under applicable computer-misuse laws to the extent that this policy permits;
provided that you: stay within the scope above; do not access, modify, exfiltrate, or destroy data beyond the minimum necessary to demonstrate a vulnerability; do not intentionally degrade our services; and give us a reasonable period to remediate before any public disclosure (we request coordinated disclosure - see section 5). This safe harbour does not apply to actions that violate applicable law independently of this policy.
5. Coordinated disclosure
We ask that you give us a reasonable opportunity to remediate before publicly disclosing a finding. We aim to remediate critical issues within 48 hours and high-severity issues within 7 days. We are happy to coordinate a mutually agreed public disclosure timeline with you.
6. Contact
Questions about this policy or a report? Email [email protected].
This document is provided for general information. It is the public counterpart to Intrudify's internal vulnerability-management and incident-response processes.