Introduction
Ivan Carlos Consulting appreciates feedback from security researchers and the general public to help improve our security, protecting everyone's information. If you believe you have discovered a vulnerability, privacy issue, data exposure, or other security problems in any of our assets, we want to hear from you.
This policy outlines the guidelines for conducting vulnerability discovery activities, the allowed scope, how to send us reports, and what you can expect from us during this process.
Authorization and Safe Harbor
If you make a good-faith effort to comply with this policy during your security research, we will consider your research conducted under this policy to be:
Authorized with respect to any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental and good-faith violations of this policy;
Authorized with respect to any relevant laws regarding circumvention of technological controls, and we will not file complaints against you for bypassing technology controls;
Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Use Policy (AUP) that would interfere with conducting security research, and we waive those restrictions in a limited manner; and
Legal, beneficial to overall Internet security, and conducted in good faith.
As always, you are expected to comply with all applicable laws. If legal action is initiated against you by a third party and you have acted in accordance with this policy, we will take steps to make it public that your actions were conducted in compliance with our guidelines and have our authorization.
Note: The Safe Harbor applies only to legal claims under the control of Ivan Carlos Consulting. This policy does not bind independent third parties. If at any time you have questions or are unsure whether your research complies with this policy, please contact us through our Official Channels before proceeding.
Our Commitments
By working with us under this policy, you can expect that we will:
Respond promptly to your report, confirming receipt;
Work openly with you to understand, validate, and analyze the vulnerability until resolution;
Make efforts to keep you informed about the progress of a vulnerability as it is processed;
Work to fix discovered vulnerabilities in a timely manner, within our operational constraints; and
Extend Safe Harbor to your vulnerability research related to this policy.
Our Expectations and Guidelines
By participating in our good-faith vulnerability disclosure program, we ask that you:
Follow the rules, including this policy and any other relevant agreements. In case of inconsistency between this policy and other applicable terms, the terms of this policy will prevail;
Notify us as soon as possible after discovering a real or potential security issue;
Make every effort to avoid violations of third-party privacy, degradation of user experience, disruption of production systems, and destruction or manipulation of data;
Access and Exploitation Limitation: Use exploits only to the extent necessary to confirm the presence of a vulnerability and demonstrate a Proof of Concept (PoC). Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems;
Sensitive Data: If the vulnerability provides unintended access to data, limit access to the minimum necessary. If you encounter user data such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, financial information, intellectual property, or trade secrets, stop testing immediately, notify us, and do not disclose this data to anyone else;
Interact only with test accounts that you own or have explicit permission from the account holder;
Provide us a reasonable period (at least 90 days from the initial report) to resolve the issue before public disclosure;
Use only the Official Channels to discuss vulnerability information with us;
Do not submit a large volume of low-quality reports; and
Do not engage in extortion of any kind.
Scope
In-Scope Systems: This policy applies to any digital assets owned, operated, or maintained by Ivan Carlos Consulting.
Out of Scope: Assets or other equipment not owned by the parties participating in this policy are out of scope and testing is not authorized. Vulnerabilities discovered in out-of-scope systems, except when related to configurations performed by Ivan Carlos Consulting, should be reported to the appropriate vendor or authority. This includes third-party infrastructure not owned by Ivan Carlos Consulting or its clients, including but not limited to:
Collaboration services such as Microsoft 365 and Google Workspace;
Security services such as Acronis and ESET;
Support services such as TeamViewer and Zendesk.
Unauthorized Testing Methods
The following testing methods are not authorized under any circumstances:
Network denial-of-service testing (DoS or DDoS) or other tests that impair access or damage a system or data;
Physical testing (e.g., office access, open doors, unauthorized use);
Social engineering (e.g., phishing, vishing);
Any other non-technical vulnerability testing.
Rewards (Bug Bounty)
Ivan Carlos Consulting does not have a cash bug bounty program; it is up to its clients to decide whether to reward researchers for vulnerabilities found in their specific environments.
Reporting a Vulnerability (Official Channels)
Information submitted under this policy will be used only for defensive purposes (to mitigate or remediate vulnerabilities).
We accept vulnerability reports through the following channels, which may be submitted anonymously:
Email:
security@icc.ggOfficial Form: Support Portal
If your findings include newly discovered vulnerabilities affecting all users of a third-party product or service (not just Ivan Carlos Consulting), we may share your report with cybersecurity and infrastructure agencies, where it will be handled according to a coordinated vulnerability disclosure process. We will not share your name or contact information with third parties without your express permission.
Notice: We do not support PGP-encrypted emails. For particularly sensitive information, we recommend submitting through our secure form.
What We Would Like to See in Your Report
The more details you provide, the easier it will be for us to triage and fix the issue. We recommend that your reports:
Describe the exact location where the vulnerability was found and the possible impact of exploitation;
Provide a detailed description of the steps needed to reproduce the vulnerability (proof-of-concept scripts or screenshots are extremely helpful);
Be written in Portuguese, English, or Spanish.
Questions
General questions about this policy, doubts about whether your research complies with the guidelines, or suggestions for improvement can be sent to security@icc.gg.