Vulnerability disclosure

ICE Around welcomes reports from security researchers who act in good faith. Community safety depends on a platform people can trust; responsible disclosure helps us fix issues before they harm users.

What to report

We are interested in vulnerabilities that affect confidentiality, integrity, or availability of the ICE Around application and its supporting infrastructure, including:

• Authentication, session, or authorization flaws
• Cross-site scripting (XSS), CSRF, or injection issues
• Insecure direct object references (IDOR) exposing private reports or credentials
• Server-side request forgery (SSRF) or unsafe file handling
• Misconfigurations that expose secrets, backups, or administrative interfaces

Rules of engagement

Test only against systems you are permitted to assess. Do not access, modify, or delete other users' data. Do not perform denial-of-service attacks against production services. Give us reasonable time to investigate and remediate before any public disclosure—we aim to acknowledge reports within a few business days and will work with you on a coordinated timeline.

Our database

ICE Around uses managed PostgreSQL for application data. Do not run destructive tests against our database—including dropping or truncating tables, mass-deleting rows, corrupting schemas, exhausting connection pools, or any action intended to wipe or disable production data. If you believe you have found a database-related issue, demonstrate it with minimal, non-destructive proof (for example, an accidental exposure of a single row in a test account you control) and stop immediately.

Out of scope

• Social engineering, phishing, or physical attacks
• Spam, rate-limit evasion without a security impact, or best-practice-only findings
• Issues in third-party services we do not operate (report those vendors directly)
• Destructive or availability attacks on production infrastructure

Recognition & rewards

We do not offer monetary bounties or paid payouts at this time. We will, however, acknowledge security researchers who report valid, in-scope issues in good faith—with your permission, we can credit you on this page or in release notes after a fix is deployed. If you prefer to remain anonymous, say so in your report.

How to report

Send details to [email protected]. Include a clear description, steps to reproduce, impact assessment, and any supporting logs or screenshots. Encrypt sensitive material if needed; we can provide a PGP key on request.

Please do not report vulnerabilities through public GitHub issues or social media.