🔐 ImpactID Responsible Disclosure Policy

1. Purpose

ImpactID is committed to protecting the confidentiality, integrity, and availability of our services and user data. We welcome reports from security researchers and will act quickly to validate, resolve, and publicly acknowledge legitimate findings.

2. Scope

In scope	Out of scope
*.impactid.nl production systems	DoS / DDoS or stress-testing
Web, API, mobile apps	“Best-practice” headers only (unless exploitable)
Open-source repos under ImpactID org	Click-jacking on pages without sensitive data
3rd-party services used by us	Rate-limit or brute-force tests

Note: If you believe an out-of-scope issue can lead to a critical exploit, report it anyway — we will evaluate it.

3. Guidelines for Responsible Testing

No data exfiltration. Only use test or dummy accounts you own.
No service disruption. Avoid actions that degrade performance or availability.
No social engineering or phishing of ImpactID staff or customers.
Lawful behaviour. Comply with all local laws and regulations.

4. Safe Harbor

If you follow this policy:

We will not pursue civil action or law-enforcement investigation.
Your testing is considered authorised under applicable computer misuse laws.
Any NDAs in our terms are waived for the purpose of reporting.

5. How to Report

Please report any vulnerability via:

Email: security@impactid.nl
PGP: Download Public Key
Security.txt: View File

Include:

Clear steps to reproduce the vulnerability
Any relevant logs or screenshots
Your contact details and (optional) PGP key

6. Our Response Process

Stage	Target Timeframe
Acknowledge report	≤ 2 business days
Initial assessment	≤ 5 days
Fix or mitigation	Depends on severity (usually ≤ 30 days)
Public disclosure	By mutual agreement after fix

8. Legal Notice

This policy does not grant permission to act unlawfully. ImpactID reserves the right to update this policy at any time.

Contact: security@impactid.nl | PGP Fingerprint: AA99 CDD2 … F746 622
Last updated: 19 September 2025 – Version 1.0.1 A Rahzani