English Português

Vulnerability Disclosure Policy

Introduction

Imagix is committed to ensuring the security of its users' and clients' information. This policy provides clear guidelines for security researchers on how to conduct vulnerability discovery activities and how to report discovered vulnerabilities to us.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and Imagix will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.

Systems and Types of Research Covered

This policy covers all systems and services managed by Imagix that are accessible via the internet. Any domain or property not explicitly listed as within scope is out of scope and not authorized for testing.

Reporting a Vulnerability

To report a vulnerability, please email security@imagix.tech with the following information:

  • A detailed description of the vulnerability.
  • Steps to reproduce the vulnerability (including proof of concept scripts or screenshots, if applicable).
  • The potential impact of exploiting the vulnerability.

What to Expect from Us

  • Within three business days, Imagix will acknowledge receipt of your report.
  • We will confirm the existence of the vulnerability and be transparent about the steps we are taking to resolve the issue, including any challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues and provide periodic updates on the status of the fix.

Guidelines

  • Do not exfiltrate data; use a proof of concept to demonstrate the vulnerability.
  • Do not exploit a vulnerability to disable additional security controls.
  • Do not perform social engineering or use automated scanners.
  • Respect data privacy and notify us immediately if you access third-party data.

Rewards and Recognition

Imagix acknowledges security researchers' contributions through:

  • Public recognition on our Hall of Fame
  • Reference letters upon request
  • Direct acknowledgment of contributions

For exceptional findings (such as critical vulnerabilities), we may offer monetary rewards according to our bounty table, subject to:

  • Severity and impact (CVSS score)
  • Quality of report
  • Complexity of discovery
  • Available budget

Current reward range: R$100-1000 (USD 20-200)

Note: As a growing startup, most validations will receive public recognition rather than monetary compensation. We value your contributions and commit to transparently acknowledging them.

Scope

In scope:

  • *.imagix.tech
  • Imagix mobile applications
  • Imagix API endpoints

Safe Harbor

Imagix will not take legal action against security researchers who:

  • Make good faith efforts to comply with this policy
  • Do not compromise user privacy
  • Do not disrupt our services
  • Report vulnerabilities promptly and responsibly

Contact

For questions about this policy or to report a vulnerability, please contact: security@imagix.tech