Responsible Disclosure

Testing framework, Safe Harbor commitment, and vulnerability reporting.

Good faith commitment to researchers

Security through obscurity is an illusion. ITYLOS encourages the community of cybersecurity researchers to analyze our platform. This policy expresses our intention to treat in good faith research work conforming to this framework, and to offer a "Safe Harbor" in exchange for responsible disclosure.

🤝 Engagement Safe Harbor

ITYLOS does not intend to pursue legal action against security researchers acting in good faith, strictly respecting the scope defined on this page, and allowing us a reasonable remediation period.

Legal note: This framework does not create a general or unlimited waiver of our remedies in cases of proven malicious behavior, harm to third parties, data exfiltration, or actions outside scope.

Expected rules of conduct

  • Good faith Seek to secure the service constructively, not to exploit it or extort it.
  • Respect for privacy Never interact with third-party data. You must only use your own capsules/test accounts.
  • No service disruption Do not interrupt the service, do not automate aggressive scanners, do not perform intentional load (DDoS).
  • Reasonable embargo Allow us a reasonable time to fix the vulnerability before making a publication or CVE.

🎯 Authorized Scope

Focus your efforts exclusively on the targets and methods defined below. Anything not listed here is considered out of scope.

Technical targets (In-Scope)

  • Web Application (Frontend) *.itylos.com — Local encryption bypass, XSS, CSP bypass, creation logic flaws.
  • API & Backend Unique destruction bypass, limit circumvention, SQL/NoSQL injections.
  • Cryptographie Weaknesses in the Forge implementation (WebCrypto API), use of AES-256-GCM, or Ed25519 signatures.

Authorized methods

  • Non-destructive manual testing
  • Using your own capsules
  • Minimal proof of concept (PoC)
  • Read-only when possible

Prohibited even in good faith

  • Brute force or DDoS attacks
  • Application data exfiltration
  • Social Engineering (Phishing)
  • Maintaining persistent post-exploitation access

📧 Reporting Process

To ensure efficient processing of your report, your report (Bug Report / Vulnerability Report) must contain the following elements:

Expected report format

  • Title: Explicit summary of the vulnerability.
  • Criticality: Your impact assessment (Low, Medium, High, Critical).
  • Reproduction: Exact steps, step by step (PoC), to reproduce the behavior.
  • Impact: Demonstrable real consequences on the product or infrastructure.

Security Contact

Send your report directly by email.
Recommended subject: [SECURITY] Problem summary

For general requests not related to a vulnerability, please use the standard contact page.

✉️ security@itylos.com
72h Acknowledgment of receipt Report acknowledged.
7 days Qualification Triage and impact assessment.
Variable Correction (Patch) Depends on severity (internal SLA).

Note regarding rewards (Bug Bounty): No public compensation program is currently in place. Acknowledgments (Hall of Fame) may be granted on a case-by-case basis.

📜 The security.txt standard

In accordance with industry best practices (RFC 9116), ITYLOS maintains a security.txt file at the root of its infrastructure. This machine-readable file allows auditors to verify the authenticity of our policies.

Contact: mailto:security@itylos.com
Policy: https://itylos.com/security-policy
Preferred-Languages: fr, en
Canonical: https://itylos.com/.well-known/security.txt

Public path: https://itylos.com/.well-known/security.txt

Continue the audit

Architecture

Local encryption implementation.

Threat Model

Limits and scope of protection.

Public Registry

Real-time cryptographic audit.

Legal Notice

Publisher information and hosting.