Security Policy & Vulnerability Disclosure

We take security seriously. If you've discovered a security vulnerability, we want to hear from you.

Our Commitment to Security

As a provider of identity security solutions, IdentityFirst is committed to maintaining the highest standards of security for our platform, our customers, and the broader security community. We welcome responsible disclosure of security vulnerabilities and are committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities.

Security Contact

Email: security@identityfirst.net

PGP Key: Available upon request

Expected Response Time: 24-48 hours for initial acknowledgment

security.txt: /.well-known/security.txt (RFC 9116 compliant)

Vulnerability Disclosure Process

1

Report

Email security@identityfirst.net with details of the vulnerability. Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up
2

Acknowledgment

We will acknowledge receipt of your report within 24-48 hours and provide an initial assessment of the report's validity and severity.

3

Investigation

Our security team will investigate the issue, reproduce the vulnerability, and assess the risk and impact. We may reach out for additional information.

Typical timeline: 5-10 business days

4

Resolution

We will develop and test a fix for verified vulnerabilities. Critical issues are prioritized for immediate patching.

Target remediation:

  • Critical: 7 days
  • High: 30 days
  • Medium: 60 days
  • Low: 90 days
5

Disclosure

Once the vulnerability is resolved, we will coordinate public disclosure with the researcher. We believe in transparent security and will publish advisories for verified issues.

Scope

In Scope

We are interested in vulnerabilities affecting:

  • identityfirst.net (public website)
  • IdentityHealthCheck platform (SaaS application)
  • API endpoints (api.identityfirst.net)
  • Authentication and authorization mechanisms
  • Data encryption and protection
  • Session management
  • Input validation and sanitization
  • Access control vulnerabilities
  • Injection vulnerabilities (SQL, XSS, etc.)
  • Business logic flaws
  • Cryptographic weaknesses

Out of Scope

The following are explicitly out of scope:

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering attacks (phishing, etc.)
  • Physical security testing
  • Third-party services we use but do not control
  • Vulnerabilities requiring physical access to devices
  • Issues affecting outdated or unsupported browsers
  • Missing security headers without demonstrated impact
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on forms with no security impact
  • Descriptive error messages without sensitive data disclosure
  • Issues requiring unlikely user interaction
  • Vulnerabilities in demo environments (unless affecting production)

Safe Harbor

IdentityFirst supports safe harbor for security researchers who:

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Only interact with accounts you own or with explicit permission of the account holder
  • Do not exploit a security issue beyond what is necessary to demonstrate it
  • Allow us a reasonable time to resolve the issue before any public disclosure
  • Do not perform actions that could harm IdentityFirst, its customers, or the public

When conducting security research according to this policy, we consider your research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) and equivalent UK Computer Misuse Act provisions
  • Authorized in accordance with the DMCA and other applicable laws
  • Exempt from restrictions in our Terms of Service that would interfere with security research
  • Lawful, and we will not initiate legal action against you

What We Expect from Security Researchers

Responsible Disclosure

Report vulnerabilities privately to security@identityfirst.net before any public disclosure. Allow reasonable time for remediation.

Do No Harm

Do not access, modify, or delete data belonging to others. Do not disrupt services or degrade the user experience.

Respect Privacy

Do not access or exfiltrate customer data. If you encounter customer data during research, cease testing immediately and report it.

Test Safely

Use test accounts for security research. Do not attempt to access production customer environments or data.

Provide Detail

Include clear steps to reproduce, potential impact assessment, and any supporting evidence (screenshots, proof-of-concept).

Be Patient

Security fixes take time to develop, test, and deploy. We commit to keeping you informed throughout the process.

What You Can Expect from IdentityFirst

Timely Response

Initial acknowledgment within 24-48 hours. Regular updates throughout the investigation and remediation process.

Good Faith Treatment

We will work with you in good faith to understand and resolve the issue. We will not take legal action against researchers acting in accordance with this policy.

Recognition

With your permission, we will publicly acknowledge your responsible disclosure in our security advisories and Hall of Fame.

Transparency

We are committed to transparent security. Verified vulnerabilities will be published in security advisories after remediation.

Security Researcher Hall of Fame

We gratefully acknowledge the following security researchers who have helped improve the security of IdentityFirst through responsible disclosure:

Hall of Fame acknowledgments will be added as we receive and remediate valid security reports. Be the first!

Recognition is subject to researcher consent. We respect researchers who prefer to remain anonymous.

Security Advisories

When security vulnerabilities are identified and resolved, we publish security advisories to keep our customers and the security community informed.

No security advisories have been published yet. This section will be updated as advisories are issued.

Subscribe to security announcements: security-announcements@identityfirst.net

Our Security Practices

Beyond vulnerability disclosure, IdentityFirst maintains comprehensive security practices:

Secret Management

HashiCorp Vault integration for all sensitive credentials and encryption keys. No secrets stored in code or configuration files.

Encryption

Data encrypted at rest (AES-256) and in transit (TLS 1.3). End-to-end encryption for sensitive customer data.

Access Control

Multi-tenant architecture with strict data isolation. Role-based access control (RBAC) and principle of least privilege.

Audit Logging

Comprehensive audit trails for all security-relevant actions. SHA-256 hashing for evidence integrity.

Compliance

SOC 2 Type II certification in progress (Q1 2026). ICO registered (ZC031428). GDPR compliant data processing.

Continuous Monitoring

Security monitoring, intrusion detection, and automated vulnerability scanning of our infrastructure.

Secure Development

Security-first development practices including code review, dependency scanning, and security testing in CI/CD pipeline.

Incident Response

Documented incident response procedures with defined escalation paths and customer communication protocols.

External Security Testing

IdentityFirst engages in regular external security assessments:

  • Penetration Testing: Annual third-party penetration tests (next scheduled: Q1 2026)
  • Vulnerability Scanning: Continuous automated scanning for known vulnerabilities
  • Code Audits: Regular security-focused code reviews by internal and external experts
  • SOC 2 Type II Audit: Underway - expected completion Q1 2026

Summaries of external security assessments are published after completion. Full reports are available to enterprise customers under NDA.

Bug Bounty Programme

IdentityFirst is planning to launch a formal bug bounty programme in 2026. This programme will provide financial rewards for qualifying security vulnerabilities based on severity and impact.

Until the formal bug bounty programme launches, we offer recognition and public acknowledgment (with your consent) for responsible disclosure. While we don't currently offer monetary rewards, we deeply value the contributions of security researchers to improving our platform's security.

Subscribe to security announcements to be notified when the bug bounty programme launches: security-announcements@identityfirst.net

Questions About This Policy?

If you have questions about this security policy or the vulnerability disclosure process, please contact us:

Email: security@identityfirst.net

General Inquiries: contact@identityfirst.net