We take security seriously. If you have found a vulnerability, please report it privately so we can fix it before it can be exploited. We follow the principles of coordinated disclosure as defined by ISO/IEC 29147 and value the work of independent researchers.

How to report

Email security@identityatcore.org. If you would like to encrypt your report, request our PGP key in the first message — we will reply with the public key.

You can also use the machine-readable details published at /.well-known/security.txt (RFC 9116).

What to include

• A clear description of the issue and the affected URL or component.
• Steps to reproduce, ideally with a proof-of-concept.
• The impact you believe an attacker could achieve.
• Your name or handle, if you want to be credited.

Our commitments

• Acknowledgement within 48 hours. Even on weekends, you will hear back.
• Triage within 5 business days. We will confirm whether we can reproduce the issue and share a tentative severity.
• Fix timelines based on severity. Critical issues are patched as fast as we can ship; lower severity follow our regular release cadence.
• No legal action against good-faith research that stays within the scope below.
• Credit in our hall of fame on this page (with your permission), and a public thank-you when we ship the fix.

Scope

• identityatcore.org and any subdomain, including preview deployments.
• The mobile-friendly views and APIs served from those domains.
• Authentication, authorization, account management, payment, and partner-program flows.

Out of scope

• Denial-of-service or volumetric attacks.
• Social engineering of staff, partners, or users.
• Physical attacks against infrastructure.
• Findings whose impact requires a victim to install malware, accept browser warnings, or use an outdated browser.
• Reports generated solely from automated scanners with no demonstrated impact (we run those ourselves).
• Self-XSS that requires a victim to paste content into their own browser.

Safe harbor

Activity conducted in accordance with this policy will be considered authorized, and we will not initiate or support legal action against you. If a third party initiates legal action against you for activity that complied with this policy, we will make this authorization known.

Hall of fame

Researchers who have responsibly disclosed valid issues to us. Want to be on this list? Get in touch.

No reports yet. Be the first.

Bug bounty

We do not currently run a paid bug-bounty program. We are happy to discuss recognition and swag for impactful reports.