Vulnerability Disclosure Program
We value the security research community. Report vulnerabilities responsibly and help us protect our clients and infrastructure.
How to Report a Vulnerability
Choose your preferred secure communication method
Email (PGP Encrypted)
Recommended for all reports, encrypt your email using our PGP public key before sending.
View PGP Public Key
Email (Standard)
Send your vulnerability report via email. All communications are transmitted over TLS 1.3.
What to Include in Your Report
1. Vulnerability Description
Provide a clear, concise description of the vulnerability.
Example: "SQL injection vulnerability in the login form allows unauthorized database access."
2. Affected System/Service
Specify which system, URL, or service is affected.
Example: "https://portal.example.com/login – Login authentication endpoint"
3. Steps to Reproduce
Provide detailed steps so we can verify the vulnerability.
Example: 1. Navigate to https://portal.example.com/login
2. Enter username: admin' OR '1'='1
3. Enter any password
4. Click "Login"
5. Observe unauthorized access granted
4. Impact Assessment
Explain what an attacker could achieve by exploiting this vulnerability.
Example: "An attacker could gain unauthorized access to the admin panel, view sensitive client data, and potentially modify system configurations."
5. Supporting Materials (Optional)
Include screenshots, logs, or proof-of-concept code if available.
• Screenshots showing the vulnerability
• Network traffic captures (sanitized)
• Proof-of-concept code (non-weaponized)
6. Your Contact Information
Include your name or handle and preferred contact method so we can keep you updated and provide credit if desired.
PGP Public Key
Use this key to encrypt sensitive vulnerability reports before sending to security@isoutsource.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGlhNF4BEAC6mO3vapteimqC905bBUVKmyCakSLXjvatJkWcIAKDXPmXOvnd
saUfjCh39025T2goHhWgdAELkczKC0SbuMpY/uFPH+Zq5wAEhUNhmWdQr7ndO1h8
3weSVR0Uaj1YhrYDY+rfsV+nBPOgP8qF0ykFXlIqrofRWQ6iNHLIj4itzxevkuDi
8o/xou9MOJdqZQ1w3Tf5U8Gu7ahbFxw8IcsYAhR1sgy0+essBLLhKLmgTWpaWJws
XljHnnJ24NE9pzdoY+/QAAU2l4KSwRkOz2I7QlvVNTneKYWhyO+N2NFO6HKmLpZh
PAB25KkfDaAIkWRjYpF6YHV/HU/Xz0r5GxH1PffaQD+wRJRlp72ZMLaKNcHympRT
ZS5L/6eNNYeCk7EB096RMF6vR9a5gbkcehOijClZFVUknbGrxDj2zMDhE/K5LdAp
QBLk0e0FVZJzSZHvlJJ8Eh1PAGZqzFTihZte72Ar/tJMVhRUieqd3a+vNankhV5S
Hn0S5RE4dqCkIDD/BQsj2bSiczlQwhp2QNs/lH4TIXTq9DsZTaqF/Zs0hnA2XrhH
XWfC2HmnbOJZJZPUsU1Z24q9GfDul6Np3HFUmkHL8D4ijAKtChzw7qCGs6n1i2oS
gtWwCU5sTal3ZIaKuOXkNy3IBWPUxV7H1I7zBpW4hLOSFGVicHSh51jjhQARAQAB
tC9JU091dHNvdXJjZSBTZWN1cml0eSA8c2VjdXJpdHlAaXNvdXRzb3VyY2UuY29t
PokCVwQTAQgAQRYhBOs6kAyP5PExDpBvV68JDKmVc/glBQJpYTReAhsDBQkaVSei
BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEK8JDKmVc/gldo4P/2K9B8bf
3CxSxgUVas67/1dyG4tFCjqbJ5R2cqn5mxIgp/y+NHn+Otq1myyma/BHWGTN0/pa
sNX3FEaQO6RD25pQnwLKOkY781o2rhQEUJKqxKUmSvqIWJZtXKIymdCfyji9q6VW
5G8RunZxnylGklb3/7b0I4NHPHzxGs38UgNGOtkwT7Lh/6i38iLadGVueCQ+7Dv4
LtoH3CM5xAp8UUrlDRdcDnSf+b9iUwzKVSogmnWE3AGi3lLO50Npv+4MGeh1YhsC
Fg0OWq0JtuxG9ZFcRQDIh2XqwfuHvTw6/INshpE/k1Wr9zTUeA56uAJ1gQxlGnZt
KRqttVHutF6gDcmc/Cs2CPB25q70SPWpjKp/PTDDpJimuLSgxm2MqtfTa2P5F4RC
8tNPq5Qad07xRGuAFvmm9UrsAFPaQKdHRLzONDtEXsdpBJ/BaAXdUoNsUjhczxYT
PU6MtIujJMFYGb0+UHpso+WmKsdcfbUFbHjtXIWxmj3Y61Nqh28kbY8dEvTaLUPs
v+u7hk48GAOeO4tVcAACXYoMEn8D9rwlRFi7YvJpWQaH+pHXyo0jiIkW7f0VNLz1
k9LFTDok08nh37/jlUgdYHSR1YFsYTLb7UeQvQ92HHG44ExsRThiIedj4w6MS3Fv
KEx6zI7936Sz94HUjDQX+bQSBVwl552WZEt7uQINBGlhNF4BEACnbSJTMSIarqLP
DPSgD44KUiM8NgIbFWMHd5Op/CABiPhEMzT1RammWzOkLve0taYv6RfP2h6kjwZz
yb0hzVln8Su5qQ2Ig25XcOd+gOsttbK0oYleRurxnDSn2K5X4GpmTv37k68MLvEW
mWue72Tc2CfEW6ksvpl9YSYraEXevHrya40S4CVMqeDzc4r8Bv8/b1q1AAsW+A8A
5MucpdzhfLzH4VvVyDSr9CqZSr4Mtqq22qQUWmzsVU2bQwpiqFGDbNdnaFxZyNHZ
ooAEtqDQlz5DLaJRI5hPfhTDU05C/jXlrWy4qxm51uGAcl+Jma3mCBv7jJ2Wkcnd
72emSxDy832YU6mGcNW4eCLTOEBiS9TeZlZBD8UVZlbvKZIKAxn8g26ofzqaV55x
muEmZKPcsuF/wtSSVvXQj4gTSs0WehnduzPvugz6F2jYg9DmTHeY5OmhciF5nLwp
LcL+OHI5e14TnxnVDzPUcY1VBYfk9Mpp8AndRk/EosPrba1wV6KZvyIdqsvqZSvh
iPZ20SJElSlI6Lk3czkbJkOC3sWg3QbSqO20THVniJnu5c5tzjrz/x2f7z7KJpUY
BeA2RUCEntw4BMRVch3HJQ6om8DJOoJmTw4CgO5qJ1TG0nhSJUZI+Zz0F1KSW5WK
0qpnCRV/TBhXaC7bH4LvHePjPq7VbQARAQABiQI8BBgBCAAmFiEE6zqQDI/k8TEO
kG9XrwkMqZVz+CUFAmlhNF4CGwwFCRpVJ6IACgkQrwkMqZVz+CX0fQ//SCE0mSWR
/lIykgOloA7FBKEwGP4IexLb+GDiVHS5WQEq4bRSiLoKwP7cYYvqbOBH6RLTEjMG
QZ7/xoT504V403GG7v3oB6tJ8z9yb46SQwO2BR2TXuY8l12JQDTcmlm1Kp22x/Ih
y9zIMtr0ZxZLvqPepp4psR34gTza65tiTtRUmOryQGmL2mpnxhPglvE2PtGMXbas
22x0NVua0VtxSbzzPwJJbEVqoqNg4NVAKwL90KG4RHugIdiwHURYRisewvEApxGt
Y8Rd9mSgVRV/ticOCH8XbAKggqMYLVd0R4Y/IS7148ivWg1KAVN5SWISCB9QZ1QW
FdEbXvjUjvX4GS1kz3B7Ho2k2odILiBvSy10nONT/obGDFPuPh0+3DxCLI2y6lzo
8MW2wAJCg5Jyjd4ltTrAp8xMBRbvKAuOxuObKwfG0W3FFKLA1JteKK0fAElaI3kJ
zBgAsizq3UJmSyxFJ0vmsSOPFOs7ef6FyqvSUG/566tcpsR7vJxwD/Cl8dWUpfez
Ee8pxHtxWJUg/s0JA8520R7MVYgTG7Vv1V9nePzK8s3PUb2qHw1vbHo92XrLBZe3
rjg/TM/YZEw0xFwsduz1DGzJ2YODKX6yWENMd/XsVh0G3jAiYUIiK2ey25NGI0oH
uTDYH3zp9Zr9LIgo7P2fiYhunQW89QFLRN4=
=/b+w
-----END PGP PUBLIC KEY BLOCK-----
Our Commitment to You
We follow industry best practices and provide legal safe harbor for good-faith researchers
What We Promise
- Acknowledge your report within 5 business days
- Provide initial assessment within 10 business days
- Keep you informed throughout the remediation process
- Publicly credit you (if desired) after resolution
- No legal action for good-faith security research
What We Ask
- Avoid accessing or modifying client data
- Do not impact service availability or performance
- Respect privacy and confidentiality of information
- Allow 90 days for remediation before public disclosure
- Report in good faith and follow responsible disclosure practices
Program Scope
Understanding what’s in scope helps you focus your research efforts
In Scope
- ✓ Public-facing systems and infrastructure
- ✓ Corporate systems and managed service tools
- ✓ Web applications and APIs
- ✓ Authentication and authorization systems
- ✓ ISOutsource-owned domains and subdomains
- ✓ Publicly exposed configuration files, metadata, and headers
Out of Scope
- × Client environments (even with explicit authorization)
- × Social engineering (phishing, vishing, etc.)
- × Physical security testing of facilities
- × Denial of Service (DoS/DDoS) attacks
- × Third-party services not managed by us
- × Spam or automated vulnerability scanning
This program follows industry best practices including ISO/IEC 29147, NIST SP 800-53, and CISA guidance.
For urgent security matters, contact: security@isoutsource.com