Responsible disclosure
Last updated 19 June 2026
IntelligenceX welcomes reports from security researchers who help keep our systems and our clients safe. This Responsible Disclosure Policy explains how to report a vulnerability in IntelligenceX-owned systems and what you can expect from us.
If you follow this Policy in good faith, we will not pursue or support legal action against you for your research.
1. Scope
This Policy covers systems and domains owned and operated by IntelligenceX, including intelligencex.org and our product platforms. It does not authorise testing against our clients' systems or any third party. Engagements with clients are always governed by a separate, signed agreement.
2. How to Report
Email your findings to incident@intelligencex.org. Please include enough detail for us to reproduce the issue, such as the affected URL or component, a description of the vulnerability, and clear, non-destructive steps to reproduce it. Where possible, encrypt sensitive details and avoid sharing them with third parties.
3. Guidelines for Researchers
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
- Only interact with accounts you own or have explicit permission to test.
- Do not access, modify, or exfiltrate data beyond what is needed to demonstrate the issue.
- Give us reasonable time to investigate and remediate before any public disclosure.
4. Out of Scope
- Denial-of-service attacks and volumetric or load testing.
- Social engineering of our staff, clients, or vendors.
- Physical attacks against our offices or data centres.
- Reports from automated scanners without a demonstrated, exploitable impact.
5. Our Commitment
We aim to acknowledge valid reports promptly, keep you updated on remediation, and credit researchers who wish to be recognised once an issue is resolved. A machine-readable version of our security contact is published at /.well-known/security.txt.
6. Contact
Send vulnerability reports and security concerns to incident@intelligencex.org.