Responsible Vulnerability Disclosure Policy

This policy applies to all Ignate products, services, applications, and infrastructure that are currently supported and generally available. This includes our ConnectHub, APIStudio, FlowCraft, and Automate platforms, as well as our corporate websites and customer-facing applications.

We encourage security researchers, customers, and the broader community to report potential security vulnerabilities in a responsible manner. This policy outlines our commitment to working with security researchers and provides guidelines for responsible disclosure.

Security vulnerabilities that could potentially impact the confidentiality, integrity, or availability of our systems or customer data are within scope. This includes but is not limited to authentication bypasses, data exposure, injection vulnerabilities, and privilege escalation issues.

We are particularly interested in vulnerabilities that could affect our data integration platforms, API security, workflow automation systems, and customer data protection mechanisms.

The following are generally considered out of scope: social engineering attacks, physical security issues, denial of service attacks, spam or phishing attacks, and vulnerabilities in third-party applications or services not directly controlled by Ignate.

Additionally, issues that require physical access to user devices, vulnerabilities in outdated or unsupported versions of our software, and theoretical vulnerabilities without proof of concept are typically out of scope.

When reporting a vulnerability, please provide detailed information including a clear description of the issue, steps to reproduce the vulnerability, potential impact assessment, and any supporting evidence such as screenshots or proof-of-concept code.

Please report vulnerabilities through our dedicated security email at [email protected]. We commit to acknowledging receipt of your report within 48 hours and providing regular updates on our investigation and remediation progress.

We are committed to working with security researchers in good faith. We will not pursue legal action against researchers who discover and report security vulnerabilities in accordance with this policy, provided they act in good faith and do not violate any laws.

We will provide credit to researchers who discover valid security vulnerabilities, unless they prefer to remain anonymous. We maintain a security acknowledgments page to recognize the contributions of security researchers and may feature significant findings in our security blog.

Upon receiving a vulnerability report, we will acknowledge receipt within 48 hours. Our security team will then assess the report and provide an initial response within 5 business days, including our assessment of the severity and expected timeline for resolution.

For critical vulnerabilities, we aim to provide a fix or mitigation within 30 days. For high-severity issues, our target is 60 days, and for medium and low-severity issues, we target 90 days. We will keep reporters informed of our progress throughout the remediation process.

We believe in coordinated disclosure and ask that researchers allow us 90 days to investigate and address reported vulnerabilities before making any information public, unless we mutually agree to a different timeline. Critical vulnerabilities may require expedited disclosure.

Once a vulnerability has been resolved, we may publish details about the issue and our response, including appropriate credit to the researcher, unless they have requested to remain anonymous. We will coordinate with researchers on the timing and content of any public disclosure.