← All Legal Documents

Security & Responsible Disclosure Policy

Effective Date: September 1, 2025

We take the security of IgorBox products and services seriously. This policy describes how security researchers and users can report vulnerabilities and what to expect from us.

1. Scope

This policy applies to:

  • IgorBox websites and APIs (e.g., igorbox.com, store.igorbox.com)
  • IgorBox SaaS platform and cloud services
  • IgorBox hardware devices and official firmware

Out of scope: third‑party services not controlled by IgorBox and customer‑managed environments.

2. How to Report a Vulnerability

  • Email: security@igorbox.com (PGP key available upon request)
  • Please include: description of the issue, affected systems/versions, reproduction steps, and any proof‑of‑concept code.
  • Do not access, modify, or exfiltrate data that does not belong to you. If you accidentally access such data, stop and report immediately.

3. Coordinated Disclosure Guidelines

  • Make a good‑faith effort to avoid privacy violations, service degradation, or disruption.
  • Give us a reasonable time to investigate and remediate before public disclosure. We target an initial response within 5 business days and remediation timelines based on severity.
  • Do not exploit a vulnerability beyond what's necessary to prove its existence.
  • Do not conduct physical attacks, social engineering, DDoS, spam, or use automated scanning that degrades service.

4. Our Commitments

  • We will review your report, triage severity, and keep you informed of status.
  • We will not pursue legal action against researchers who adhere to this policy and act in good faith.
  • We may offer public recognition for significant findings with your consent.
  • At our discretion, we may offer a monetary or non‑monetary bug bounty for eligible, responsibly disclosed vulnerabilities. Rewards (if any) are determined based on severity, impact, and report quality. This is not a guarantee of payment.

5. Safe Harbor

Activities conducted in good faith and in accordance with this policy are authorized and we will not initiate or recommend legal action for such activities. This policy does not authorize access to data, systems, or accounts you do not own or manage.

6. Security Measures Overview

At a high level, IgorBox employs:

  • Encryption in transit and at rest where appropriate
  • Role‑based access control and MFA for privileged access
  • Secure development practices and vulnerability management
  • Logging, monitoring, and incident response procedures
  • Vendor and subprocessor reviews

For more detail, see our Data Processing Addendum (Annex B – TOMs).

7. Contact

Security reporting: security@igorbox.com
General support: help@igorbox.com

This document is maintained at github.com/RisingOrchards/legal

IgorBox® is a Registered Trademark of Rising Orchards, LLC.

© 2026 Rising Orchards, LLC

Legal

build: f4febf0