Vulnerability Disclosure Policy
- Last Updated: 9 Mar 2026
- Next Review: 1 Jul 2026
Enprivacy is committed to the security of Invisiq and to protecting the customers who deploy it. We welcome reports from security researchers, customers, and the broader community about potential vulnerabilities.
This policy describes how to report a vulnerability, what you can expect from us, and what we ask of you in return.
This policy covers:
- Invisiq application code (all supported versions)
- Container images and build artefacts published by Enprivacy
- Enprivacy corporate infrastructure
Out of scope
Section titled “Out of scope”This policy does not cover:
- Vulnerabilities in your own deployment configuration or infrastructure
- Vulnerabilities in third-party components where Enprivacy is not the appropriate reporter (please report those directly to the upstream project; we are happy to assist if needed)
- Denial-of-service attacks against Enprivacy infrastructure
- Social engineering of Enprivacy employees
How to Report
Section titled “How to Report”Please send vulnerability reports to:
- Email: security@enprivacy.com
- PGP key: (Public Key to be provided) (Key ID: (KEY_ID)
Please include the following information:
- A description of the vulnerability and its potential impact
- The affected component and version(s)
- Step-by-step reproduction instructions
- Any proof-of-concept code or screenshots (if applicable)
We request that you do not include sensitive customer data in your report.
What to Expect From Us
Section titled “What to Expect From Us”| Milestone | Target timeframe |
|---|---|
| Acknowledgement of your report | 3 business days |
| Confirmation of scope and initial severity assessment | 5 business days |
| Status update | Every 10 business days |
| Resolution and coordinated disclosure | Dependent on severity; see below |
Resolution SLAs
Section titled “Resolution SLAs”| Severity | Target remediation |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 90 days |
| Low | Next scheduled release |
If we cannot meet a deadline, we will communicate this to you proactively with a revised timeline and reason.
Coordinated Disclosure
Section titled “Coordinated Disclosure”We follow a coordinated disclosure process:
- You report the vulnerability to us privately.
- We investigate and develop a fix.
- We agree a disclosure date with you — typically 90 days from the date of our confirmation, though we may request an extension for complex issues.
- We publish a security advisory and release a patched version.
- You are welcome to publish your own write-up at or after the coordinated disclosure date.
We will credit you in our security advisory unless you prefer to remain anonymous.
Our Commitments to You
Section titled “Our Commitments to You”If you follow this policy in good faith, Enprivacy commits to:
- Not pursue legal action against you for your research
- Work with you to understand and validate your report
- Keep you informed of progress
- Publicly credit you for your discovery (unless you prefer otherwise)
Security Advisories
Section titled “Security Advisories”Published security advisories for Enprivacy are available at CVE Database.
Advisories follow the CVSSv4 scoring framework and include:
- CVE identifier (where applicable)
- Affected versions
- Description and impact
- Remediation guidance (patch version or workaround)
Bug Bounty
Section titled “Bug Bounty”We do not currently operate a formal bug bounty program, but we deeply appreciate responsible reports and will acknowledge contributors in our advisories.