Security & vulnerability disclosure
If you found a security issue with ARIA Sentinel, iisupp.net, or any IIS service, please report it. We will respond.
14d
Coordinated disclosure
P0 → 24h
Critical patch SLA
Report a vulnerability
Email: integrateditsupp@gmail.com
Subject prefix: [security]
Please include: scope (URL or component), reproduction steps, impact assessment, and your contact for follow-up. PGP available on request.
Scope
- In scope: iisupp.net + all subdomains, ARIA Sentinel desktop client (all releases), Netlify functions under
/.netlify/functions/, public API endpoints, OTA pipeline.
- Out of scope: third-party services (Stripe, Netlify, GitHub themselves), DoS/DDoS, social engineering, physical attacks, vulnerabilities requiring root on a victim's already-compromised machine.
What you can expect
- Initial response within 48 business hours.
- Triage + severity classification within 7 days.
- Coordinated disclosure: 14-day default embargo, 90-day maximum for critical issues. We will publish a brief advisory after patch.
- Public credit if you want it. We don't run a paid bounty yet but will add reporters to our acknowledgments page.
What we run internally
- SAST + SCA on every PR (GitHub-native).
- Dependency vulnerability monitoring continuous.
- TLS 1.3 + HSTS + CSP enforced on every public surface.
- Secrets in environment only — never bundled into desktop builds. Desktop never carries
SENTINEL_LICENSE_SECRET; all license resolution server-side.
- R11 privacy guard — designated personal folders are off-limits to all internal agents.
Live security artifacts
Integrated IT Support Inc. · 30 Fothergill Crt, Whitby ON L1P 1L4 · Canada · D-U-N-S 241726397