Security · Coordinated Disclosure
Vulnerability Disclosure Policy
How to report a security issue in ARIA, iisupp.net, or any IIS service. We appreciate responsible disclosure and respond fast.
1. Report to
Email: security@iisupp.net
PGP key: No public PGP key is currently published; plaintext email is acceptable for initial disclosure.
Acknowledgement target: within 24 hours on business days, 72 hours otherwise
Initial assessment target: within 5 business days
2. What we want to hear about
- Authentication bypass on any iisupp.net surface
- Cross-site scripting (XSS) on iisupp.net or our hosted apps
- SQL injection or NoSQL injection (we use NoSQL; report either)
- Server-side request forgery (SSRF) in any Netlify function
- Privilege escalation across tenants or roles
- Sensitive data exposure (env vars, secrets, customer data)
- Insecure direct object reference (IDOR)
- Prompt-injection attacks that leak system prompts or take privileged actions
- Stripe webhook signature bypass or billing fraud vectors
3. What is OUT of scope
- Denial-of-service attacks (please do not test these against production)
- Social engineering of IIS staff
- Physical security tests
- Reports requiring physical access to a user's device
- Reports of missing security headers without a demonstrated impact (we'll fix, but it's not a vuln)
- Reports of best-practice non-compliance without a working exploit
4. Safe harbour
If you make a good-faith effort to comply with this policy during your security research, IIS will:
- Not initiate legal action against you
- Work with you to understand and resolve the issue quickly
- Credit you in our hall of fame (if you want — anonymous reports also welcome)
We expect you to:
- Avoid privacy violations and disruption to live users
- Only test against your own accounts unless explicitly authorized
- Give us reasonable time to respond before public disclosure (we suggest 90 days)
- Not exfiltrate any data beyond what is needed to demonstrate the issue
5. What you can expect from us
- Day 0: Email acknowledgement
- Day 1–5: Triage + severity assignment (Critical/High/Medium/Low)
- Day 5–30: Fix shipped (timeline depends on severity)
- After fix: Coordinated disclosure window agreed with reporter
6. Bounty?
We are bootstrapped and do not currently run a formal bounty program. We will gladly credit you, and if a report leads to a serious fix, we offer a thank-you in the form of swag, ARIA Pro plan credit, or a paid pilot for your organization.
7. Bug bounty cooperation
We follow ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (handling) where applicable.
Last updated: 2026-06-18 · Version 1.0 · Cat 4 trust + safety
Home · security.txt · Privacy