International Money Flow
LEGAL · DISCLOSURE

Coordinated disclosure policy

How we coordinate vulnerability disclosure with vendors, researchers, and our clients.

Reporting to us

Send vulnerability reports to security@internationalmoneyflow.com. Encrypt with our PGP key (fingerprint and public key on the contact page). We acknowledge receipt within two working days.

Default disclosure window

Our default coordinated-disclosure window is ninety days from first contact with the affected vendor. The window is negotiable in both directions:

  • Down to thirty days when there is evidence of active exploitation and the affected population has no compensating mitigation.
  • Up to three hundred sixty days when the affected system is under a regulatory certification regime that physically cannot ship a patched binary inside ninety days, and the vendor is engaging in good faith.

Outside that range we will walk away from the negotiation rather than agree to terms we will later regret.

What we publish, and when

On disclosure day, we publish the advisory at /advisories with original disclosing party preserved in the Reporter field. Where we are the original reporter, we say so explicitly. Where we are republishing another party's disclosure with our own analysis, we say that too.

Working exploits are not published before patches are widely available. After patches are available, we may publish enough technical detail to support detection engineering.

Safe harbour

We will not pursue legal action against researchers who report vulnerabilities to us in good faith, who avoid privacy violations and degradation of our customers' experience during testing, and who give us a reasonable window to fix issues before public disclosure. The legal language is in the terms; the practical commitment is the previous sentence.

Out of scope

  • Findings on customer infrastructure that we do not operate.
  • Social engineering of staff, customers, or contractors.
  • Denial-of-service testing against production services.
  • Findings whose only impact is the absence of a defence-in-depth control that is not part of any threat model we publish.

Acknowledgements

Researchers who follow this policy are credited in the advisory's Reporter field at their preference (real name, handle, or anonymously). Credit is non-negotiable on our part — the work is theirs, not ours.

Last reviewed

2026-04-29. We review and republish this policy at least annually, and immediately after any incident that reveals a gap.