Vulnerability disclosure and security contact.

IronSOC welcomes security research conducted in good faith. This policy describes how to report, what is in scope, and how we respond.

Report a security issue.

Email security@ironsoc.com with a clear description, reproduction steps, and any proof-of-concept you can share. Encrypted reports are welcome — request our PGP key by reply.

Email security View security.txt

Acknowledge fast

We aim to acknowledge any well-formed report within two business days.

Triage and update

We will give a status update within five business days and a fix or mitigation plan when we have one.

Coordinated disclosure

We coordinate publication with the reporter. We will not pursue legal action against research conducted in good faith inside this scope.

In scope

What we want to hear about.

ironsoc.com and any *.ironsoc.com domains we operate
Public APIs documented at IronSOC under our control
Authentication, authorization, and session-handling flaws
Server-side injection, SSRF, RCE, and authentication bypass
Data exposure, IDOR, and access-control flaws

Out of scope

What we cannot accept.

Denial of service, volumetric, or rate-limit testing
Social engineering against employees, customers, or partners
Physical attacks or attempts to access non-public infrastructure
Findings against third-party services not operated by IronSOC
Automated scanner output without a working proof of concept

Safe harbor

Good-faith research is welcome.

IronSOC will not pursue legal action against a researcher who follows this policy, avoids privacy violations, destruction of data, or interruption of service, and gives us a reasonable window to remediate before public disclosure.

▸ public/.well-known/security.txt

Contact: mailto:security@ironsoc.com
Expires: 2027-05-06T00:00:00.000Z
Preferred-Languages: en
Canonical: https://ironsoc.com/.well-known/security.txt
Policy: https://ironsoc.com/security