Vulnerability Disclosure Policy

Purpose

Iute Group is committed to protecting our customers, employees, partners, and systems. We welcome good-faith security research and encourage responsible reporting of potential vulnerabilities.
This policy explains how security researchers may report vulnerabilities based on responsible disclosure principles, what activities are authorized, what activities are prohibited, and how we handle submitted reports.

Scope

This policy applies to the systems, products, and services listed below. Reports about other security concerns are also welcome, but testing is authorized only for assets that are in scope.

In scope

The following assets are authorized for vulnerability research:

Asset Description
*.iute.* Public web applications owned by Iute Group
*.iutecredit.* Public web applications owned by Iute Group
api.iute.* Public API endpoints
MyIute iOS and Android applications published by Iute Group
Out of scope

The following are not authorized unless we give prior written permission:

Asset / activity Reason
Third-party systems, vendors, or hosted services not owned by Iute Group Not controlled by us
Physical offices, data centers, badges, or hardware devices Physical security testing is excluded
Employee, contractor, partner, or customer social engineering Protects individuals from harm
Denial-of-service testing inc. stress, load or resource-exhaustion testing Could disrupt availability
Spam, phishing, or malware testing Could harm users or systems
Production data exfiltration Protects confidentiality and privacy

If you are unsure whether a system is in scope, contact us via email: bug-report@iute.com.

Authorized Research

Researchers are permitted to engage in security research activities, subject to the following conditions:

  • All activities shall be conducted in good faith.
  • All activities shall remain in scope of this policy.
  • Avoid privacy violations, data destruction, service disruption, and degradation.
  • Do not exploit vulnerability beyond what is necessary to prove its existence.
  • Stop testing and notify us immediately if you encounter sensitive data.
  • Do not access, modify, delete, retain, or disclose customer, employee, partner, or company data.
  • Give us a reasonable opportunity to investigate and remediate before public disclosure.

While researchers may conduct preliminary, non-intrusive testing independently, any deeper or more invasive security testing must be coordinated with Iute Group in advance to ensure it is properly authorized and does not disrupt our systems or users.

Prohibited Activities

The following activities are not authorized:

  • Denial-of-service, stress, load, or resource-exhaustion testing.
  • Phishing, vishing, smishing, pretexting, or other social engineering.
  • Physical intrusion, tailgating, badge cloning, or device tampering.
  • Malware deployment, persistence, ransomware simulation, or destructive payloads.
  • Data exfiltration, mass data access, scraping, or bulk downloading.
  • Accessing accounts, data, or systems that do not belong to you.
  • Modifying, deleting, or corrupting data.
  • Testing third-party services, integrations, or infrastructure not owned by Iute Group.
  • Public disclosure before remediation or written approval from Iute Group.
  • Any activity that violates applicable law.
Safe Harbor

When security research is conducted in accordance with this policy, Iute Group will consider it authorized and will not initiate or support legal action against you for the research.

If a third party brings legal action against you related to activities conducted under this policy, we will take reasonable steps to make it known that your actions are conducted in compliance with this policy.

Safe harbor applies only when you:

  • Follow this policy.
  • Act in good faith
  • Stay within authorized scope
  • Avoid harm to Iute Group, our customers, employees, partners, and systems.
  • Report vulnerabilities promptly.
  • Do not retain, disclose, or misuse any data encountered.
  • Stop testing immediately if you identify a risk of harm or access sensitive data.

This safe harbor does not apply to actions that are malicious, extortive, destructive, fraudulent, or outside the scope of this policy.

Reporting a Vulnerability

Please report vulnerabilities to:

Email: bug-report@iute.com

PGP key: https://www.iute.com/security/pgp-key.txt

PGP Fingerprint: 5C3B B2DF 473C DCAB 6A0D  E50C C998 9A37 3E07 A31D

  • Include as much detail as possible:
  • Affected asset, URL, endpoint, product, or version.
  • Vulnerability type and impact.
  • Step-by-step reproduction instructions.
  • Proof-of-concept code, screenshots, or videos, if safe to provide.
  • Whether you accessed any data and, if so, the minimum details needed for us to investigate.
  • Your contact information, if you want follow-up or recognition.

Do not include sensitive personal data, secrets, credentials, or customer data in your report unless absolutely necessary to demonstrate the issue.

Our Commitment

After receiving a valid report, Iute Group will make reasonable efforts to:

Stage Target timeframe
Acknowledge receipt Within 3 business days
Initial triage Within 10 business days
Provide status update At least every 15 business days
Remediate critical vulnerabilities As soon as reasonably practicable
Coordinate public disclosure, if applicable After remediation or agreed timeline

Timelines may vary depending on severity, complexity, affected systems, third-party dependencies, and regulatory obligations.

Severity and Prioritization

Reports will be prioritized based on risk, exploitability, affected systems, business impact, and potential harm to customers or users.

Higher-priority findings include:

  • Remote code execution.
  • Authentication or authorization bypass.
  • Access to sensitive customer or company data.
  • Privilege escalation.
  • Significant business logic flaws.
  • Exposure of production secrets or credentials.

Lower-priority or commonly non-qualifying findings include:

  • Missing security headers without demonstrated impact.
  • Clickjacking on pages with no sensitive actions.
  • Self-XSS without a credible attack scenario.
  • Informational TLS or cookie configuration issues without exploitability.
  • Automated scanner output without validation.
  • Rate-limit observations without demonstrated security impact.
  • Vulnerabilities requiring physical access, compromised devices, or unrealistic preconditions.
Data Handling

If you encounter sensitive data, you must:

  • Stop testing immediately.
  • Avoid copying, saving, modifying, deleting, transferring, or sharing the data.
  • Report the finding to us promptly.
  • Include only the minimum information necessary for us to identify and remediate the issue.
  • Delete any locally stored sensitive data after we confirm receipt, unless legal preservation is required.

Sensitive data includes personal data, including special-category or highly sensitive personal data such as health, financial, identity, contact, authentication, or account data; credentials, tokens, private keys, secrets, customer content, confidential business information, and non-public system information.

Coordinated Disclosure

We support coordinated vulnerability disclosure.

You must not publicly disclose a vulnerability until:

  • We have remediated the issue;
  • We have given written permission; or
  • A mutually agreed disclosure timeline has elapsed.

We generally request at least 90 days before public disclosure, unless otherwise agreed. For actively exploited or high-risk vulnerabilities, we may request additional coordination to protect users.

If the vulnerability affects third-party products, open-source projects, or multiple vendors, we may coordinate disclosure with affected parties, CERT/CC, CISA, regulators, customers, or other appropriate stakeholders.

Recognition

At our discretion, we may recognize researchers who submit valid, unique, and actionable reports.

Recognition may include:

  • Public acknowledgement on our security page.
  • A letter of appreciation.
  • Swag or non-monetary recognition.
  • Bug bounty payment, if the report is submitted under an active bounty program.

This policy does not guarantee payment, reward, employment, or contractual relationship.

If multiple researchers report the same issue, we will generally consider the first complete and actionable report as the original submission.

A report may be considered duplicate if we were already aware of the issue through internal testing, monitoring, prior reports, third-party alerts, or vendor notifications.

Confidentiality

Information shared with you by Iute Group, or obtained through vulnerability research, must be treated as confidential unless we give written permission to disclose it.

You may not disclose:

  • Non-public vulnerabilities.
  • Customer or employee data.
  • Partner and in general personal data
  • Confidential business information.
  • Internal system details.
  • Source code, credentials, tokens, keys, or secrets.
  • Communications with Iute Group about the report.
Legal and Compliance

This policy does not authorize activity that violates applicable law, regulation, or contractual obligations.

Researchers are responsible for complying with all applicable laws. Iute Group may be required to report certain vulnerabilities, incidents, or data exposures to regulators, customers, law enforcement, or affected individuals.

Changes to This Policy

Iute Group may update this policy at any time. The current version will be published at https://www.iute.com/security. Testing is authorized only under the version of the policy in effect at the time of testing.