Invoice123.com Vulnerability Disclosure Policy
Introduction
At Invoice123.com, we prioritize the security of our systems and data. We encourage the responsible reporting of any vulnerabilities discovered in our services. This policy provides guidelines for submitting such vulnerabilities and outlines our commitment to the security community.
Scope
This policy applies to any digital assets owned, operated, or maintained by Invoice123.com, including:
- All subdomains under
invoice123.com
- Invoice123 mobile applications on iOS and Android
- Any Invoice123 API integrations
Out of Scope
To ensure the effectiveness and efficiency of our response to reports, the following types of vulnerabilities are considered out of scope:
- Physical attacks against Invoice123 properties or data centers
- Social engineering (including phishing) of Invoice123 staff or contractors
- Any attacks against Invoice123’s physical infrastructure
- Denial of Service (DoS/DDoS) attacks
- Spam or unsolicited email
Reporting a Vulnerability
To report a security issue, please follow these steps:
- Email your findings: Send your report to [security@invoice123.com]. Provide detailed information including step-by-step instructions to reproduce the issue, the potential impact, and any possible solutions you envisage.
- Secure communication: If your findings include sensitive information, please use our PGP key to encrypt your message.
What to Expect After Reporting
- Acknowledgment: We will acknowledge your report within 72 hours of submission.
- Evaluation: Our security team will evaluate the reported vulnerability for validity and impact.
- Updates: We will keep you informed of the progress toward resolving the vulnerability.
- Disclosure: Public disclosure of the vulnerability will be coordinated with you to ensure that we have mitigated the risks effectively.
Rewards
While not every report will necessarily qualify for a reward, Invoice123.com offers both monetary and non-monetary rewards for reports that significantly contribute to the improvement of our security. The amount and type of reward will be determined based on the severity and impact of the discovered vulnerability.
Safe Harbor
Researchers who comply with all guidelines in this policy and report vulnerabilities in good faith will not face any legal action from Invoice123.com. We support ethical hacking and ensure that no legal action will be initiated against you provided you adhere to the law and this policy.
Legal
By submitting a report to Invoice123.com, you agree to handle the disclosed information responsibly. You agree not to disclose the vulnerability to others until it has been resolved and to delete any confidential data acquired during the research after the vulnerability has been fixed.
Contact
For any queries or further information regarding this policy, please contact [security@invoice123.com].