Security Vulnerability Disclosure Policy

Summary

At ID123, the security of our products and services is a top priority. We value the contributions of the security research community and support responsible disclosure of vulnerabilities. This policy outlines how to report security issues to us and what to expect in return.

Reporting a Vulnerability

If you believe you’ve discovered a security vulnerability in one of our systems, products, or services, we ask that you:

Email us at: security@id123.io

Include:

  • Your name and contact details
  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The affected product/service/system
  • Any supporting evidence (e.g., logs, screenshots)

Please do not publicly disclose the vulnerability before we have addressed it.

Our Response Process

Once we receive your report, we will:

  1. Acknowledge receipt within 2 business days
  2. Assess and prioritize the issue
  3. Work on remediation and test a fix
  4. Update you regularly (at least every 2 weeks)
  5. Notify you once it’s resolved
  6. Coordinate public disclosure, if applicable

Safe Harbor

We commit to working with researchers who act in good faith.:

  • If you comply with this policy in good faith and avoid prohibited activities, we will not pursue legal action.
  • To qualify for Safe Harbor, you must not access, store, or exfiltrate any production data, including personal, internal or confidential company information.
  • If you inadvertently encounter such data, you must immediately stop testing, delete the data, and notify us without delay.
  • Deliberate access to or retention of production or sensitive data falls outside the scope of this policy and will require us to pursue legal action.

Recognition & Bounty

We may offer recognition or bounties at our discretion for valid, impactful reports. To qualify, you may be asked to sign a Non-Disclosure Agreement (NDA) and complete a basic onboarding process.

Program Scope

This policy covers vulnerabilities in any of our:

  • Products and mobile/web apps
  • Cloud and backend infrastructure
  • Public-facing systems and APIs

We reserve the right to exclude findings based on risk level, previously known issues, or non-exploitable configurations.

Coordinated Disclosure

We may collaborate with external vendors, partners, or affected third parties if a vulnerability impacts more than our systems. We support transparency and responsible coordination with all stakeholders.

Questions or Feedback?

Email us anytime at security@id123.io. We appreciate your help in keeping ID123 secure for everyone.
For full policy, please refer to our Security Vulnerability Disclosure Policy (PDF).