Responsible Disclosure Policy

Purpose

ImpactID is committed to protecting the confidentiality, integrity, and availability of our services and user data. We welcome reports from security researchers and will act quickly to validate, resolve, and publicly acknowledge legitimate findings.

Scope

In scope

*.impactid.nl production systems

Web, API & mobile apps

Open-source repos under ImpactID org

3rd-party services used by us

Out of scope

DoS / DDoS or stress-testing

Headers-only (unless exploitable)

Clickjacking on non-sensitive pages

Rate-limit or brute-force tests

› If you believe an out-of-scope issue can lead to a critical exploit, report it anyway — we will evaluate it.

Testing Guidelines

No data exfiltration. Only use test or dummy accounts you own.

No service disruption. Avoid actions that degrade performance or availability.

No social engineering or phishing of ImpactID staff or customers.

Lawful behaviour. Comply with all local laws and regulations.

Safe Harbor

We will not pursue civil action or law-enforcement investigation.

Your testing is considered authorised under applicable computer misuse laws.

Any NDAs in our terms are waived for the purpose of reporting.

How to Report

Clear steps to reproduce the vulnerability

Any relevant logs or screenshots

Your contact details and optional PGP key

Response Process

Acknowledge report

≤ 2 business days

Initial assessment

≤ 5 days

Fix or mitigation

usually ≤ 30 days

Public disclosure

by mutual agreement

Legal notice: This policy does not grant permission to act unlawfully. ImpactID reserves the right to update this policy at any time. Contact: security@impactid.nl