Vulnerability Disclosure Policy

We’re a security tool. We hold security research to the standard we’d want to be held to. This policy explains what’s in scope, how to report a finding, what response you can expect from us, and the safe-harbor terms under which we operate.

Version 1.0 Last updated 2026-04-24

1. How to report

Email [email protected]. For sensitive findings encrypt the body and any attachments with our PGP key; the fingerprint and ASCII-armored public key live at:

Fingerprint: (forthcoming — published before v1.0 GA)
Key URL: /.well-known/intreys-pgp.asc

If PGP is impractical for the finding, send an unencrypted summary and we’ll arrange a more secure channel. Please do not file vulnerabilities as public GitHub issues, in support tickets, or on social media before coordinated disclosure.

What to include

A clear description of the issue and its impact.
Reproduction steps, ideally with a minimal proof-of-concept.
The product version and OS where you reproduced it (e.g. intreys 1.0.0 on macOS 14.4).
Whether the finding has been disclosed elsewhere.
How you’d like to be credited (or not credited) if the report leads to a fix.

2. Scope

In scope

The intreys desktop application (all platforms)
The license service at license.intreys.com
The website at intreys.com and its subdomains
Auto-update mechanism and signed-binary chain
SSO via OIDC + SCIM 2.0 provisioning (Team / Enterprise / MSSP). SAML 2.0 SSO is available by request as an enterprise preview.
Local SQLite encryption, secret storage, audit log integrity

Out of scope

Third-party services (Stripe, Cloudflare, Apple, Microsoft) — report to them directly
Threat-intel APIs called from the user’s machine (AbuseIPDB, VirusTotal, etc.)
Self-hosted local AI models (llama.cpp, MLX) running under user control
Vulnerabilities requiring physical access to an unlocked device
Findings that depend on a malicious OS or compromised host
Social engineering of Intreys staff or customers

3. Rules of engagement

Do not access, modify, or destroy data that does not belong to you.
Use a test license or trial license for your research; do not pivot to other tenants.
Do not run automated scanners that generate disruptive load against license.intreys.com or intreys.com.
Do not perform denial-of-service tests against any production endpoint.
Do not chain into customer environments or third-party systems.
Stop at proof-of-concept — do not exfiltrate beyond what’s required to demonstrate the issue.
Give us a reasonable window to fix before public disclosure (see §5).

4. Response SLAs

Stage	Target	Notes
Acknowledge receipt	2 business days	Auto-reply confirms intake; a human follows.
Initial triage	5 business days	Severity classification + reproduction.
Status update cadence	Weekly	Until fix or closure.
Fix timeline (Critical)	Under 7 days	Hot-patch release if exploited; otherwise patched in next minor.
Fix timeline (High)	Under 30 days
Fix timeline (Medium)	Under 90 days
Fix timeline (Low)	Best effort	Usually folded into a planned release.

5. Coordinated disclosure

Default embargo is 90 days from acknowledgment. We’ll work with you on extensions if a fix is ready but customer rollout requires more time, and on shorter windows if active exploitation is observed. Once a fix ships we publish:

An entry in our public changelog with the CVE if assigned.
An advisory under github.com/intreys/intreys/security/advisories.
Credit in the acknowledgments section below, unless you’ve asked otherwise.

6. Safe harbor

If you make a good-faith effort to comply with this policy, we will:

Not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations.
Treat your research as authorized under the Computer Fraud and Abuse Act (CFAA) and analogous state laws, and waive any applicable claims under the Digital Millennium Copyright Act (DMCA) for reverse-engineering carried out under this policy.
Work with you to understand and resolve the issue quickly.
Recognize your contribution publicly if you wish.

If a third party initiates legal action against you for activities conducted under this policy, we’ll make it known that your activities were authorized. This safe harbor does not extend to activities that violate the rules of engagement in §3 or that target third-party systems we don’t control.

7. Rewards

Intreys™ is a v1.0 launch by a small company. We don’t run a paid bug-bounty program at GA. What we offer instead:

Public credit in this policy and in release notes (with your preferred name and link).
Swag for first-time reporters of valid issues at Medium severity or above.
Free Professional license (one-year) for the first valid Critical or High report from any researcher.
A formal bounty program is on the roadmap for the back half of 2026 once SOC 2 readiness is in place.

8. Acknowledgments

We’ll list researchers who’ve made coordinated, valid disclosures here once we have any to credit. If you’ve reported an issue and want to be added (or removed), let us know.

No public disclosures yet. Be the first.

9. Out-of-scope finding types

The following are typically considered low-impact or out-of-scope at this stage. Reports of these may be acknowledged but generally won’t qualify for credit unless paired with material impact:

Missing security headers without a demonstrated exploit path
Self-XSS that requires a victim to paste payloads into their own console
Username enumeration on public marketing endpoints
Email spoofing without bypass of SPF/DKIM/DMARC alignment
Clickjacking on pages without sensitive state-changing actions
Reports generated solely by automated scanners (e.g. CVSS 0–3 informational findings)
Open-redirect on URLs that are explicitly whitelisted by the OAuth/OIDC flow
Rate-limit complaints on unauthenticated marketing endpoints
Findings against versions older than the current minor release

10. Contact

Security email: [email protected]

Machine-readable contact at /.well-known/security.txt per RFC 9116. For non-security questions, see support.

Thank you for keeping our customers safe.