RESPONSIBLE VULNERABILITY
DISCLOSURE POLICY

Responsible Vulnerability Disclosure Policy

Imengine cares about information security. We are committed to maintain the confidentiality, integrity and availability of our systems and our information to ensure the trust and confidence of our customers.
Therefore, the security of our online platforms and applications is very importanant to us.
We ask that you disclose information security issues responsibly and in accordance with this Responsible Vulnerability Disclosure Policy.
This Policy applies to all systems and application managed and/or developed by Imengine.
We will verify and remediate vulnerabilities in a timely manner.

As long as you use this process in disclosing information security issues to Imengine, we will not take legal action against you or revoke access to our online platforms and applications. Imengine reserves all legal rights in the event of any noncompliance to this policy.

REPORTING:

We encourage security researchers to share the details of any suspected vulnerabilities with the Imengine Information Security Team.
You must send the discovered vulnerability exclusively to security[at]imengine.be and encrypt it with our PGP-key to prevent the information from falling into the wrong hands.
We ask that you provide detailed information with steps for us to reproduce the vulnerability

OUR COMMITMENT:

If you identify a valid security vulnerability in compliance with this Responsible Vulnerability Disclosure Policy, Imengine commits to:

  • Addressing the risk if deemed appropriate by the Imengine team;
  • Working with you to understand and validate the issue;
  • Keep you informed of the progress of solving the issue;
  • Treat your report confidentially and we will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation;
  • Not take legal action against you, if you have complied with this Responsible Vulnerability Disclosure Policy and have not committed any other breaches;

YOUR COMMITMENT:

One of our goals is to address issues as quickly as possible while limiting negative impacts to our customers. In order to do this, we need your help:

  • Regardless of the impact, not to compromise Imengine's information or Imengine's systems;
  • Data obtained through the vulnerability must be deleted immediately after reporting
  • Provide valid contact information. The use of a pseudonym is allowed but make sure we can contact you if we have additional questions
  • Respond when we have a question for you;
  • Include as much information as possible to help us to reproduce the issue, such as:
    • Technical description and details;
    • Screen captures of the issue (delete after uploading);
    • URL where the issue occurs;
    • The time of day you noticed the issue;
    • Your source IP;

YOU ARE PROHIBITED FROM:

  • Accessing, downloading, modifying, or disclosing data residing in an account that does not belong to you;
  • Executing or attempting to execute any Denial of Service attack;
  • Executing or attempting to attack our physical security or third-party applications;
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, or other forms of duplicative or unsolicited messages;
  • Testing in a manner that would degrade the operation of any Imengine properties;
  • Social engineering any Imengine employee, contractor or client;
  • Publicly disclosing any identified or alleged vulnerability without express written consent from Imengine;

Imengine reserves the right to change the contents of this Policy or terminate this Policy at any time.