Identity Mesh Logo Identity Mesh
Security / Disclosure Policy

Security Disclosure Policy

We take the security of IdentityMesh seriously and welcome reports from the security research community. This page describes how to reach us, what we accept, and what you can expect in return.

Reporting a vulnerability

Send an email to security@identitymesh.example. The same address is published in our /.well-known/security.txt file (RFC 9116). A PGP key for encrypted reports will be linked from security.txt when published; until then, please do not include exploit details that you would not be comfortable sending in cleartext.

Please include, where possible:

  • A short summary of the issue and its impact.
  • The IdentityMesh component (Admin API, Sync Engine, Relay Agent, Admin UI, Installer, connector) and the version or commit you tested.
  • Steps to reproduce, ideally with a minimal proof-of-concept. Screenshots, packet captures, or log excerpts are welcome.
  • Any suggested mitigation, if you have one in mind.
  • Whether you would like to be credited and, if so, the name or handle to use.

We will acknowledge receipt within 1 business day and provide an initial assessment within 5 business days.

Scope

In scope

  • The IdentityMesh codebase (Admin API, Admin UI, Sync Engine, Relay Agent, Composer, connectors maintained by the IdentityMesh team).
  • Official MSI installers and patch packages distributed by IdentityMesh.
  • Public sites and services operated by the IdentityMesh team (this site, documentation, download endpoints).
  • Cryptographic, authentication, and authorization design issues in shipped code.

Out of scope

  • Customer-operated deployments. IdentityMesh is on-premises software; please report findings against a specific customer environment to that customer's security team.
  • Third-party connector DLLs not authored by the IdentityMesh team.
  • Issues that depend on physical access to a server or compromise of a host's Windows credentials, unless they reveal a design flaw in IdentityMesh itself.
  • Reports generated solely from automated scanners with no demonstrated impact.
  • Social-engineering or phishing attempts against IdentityMesh staff or customers.

Coordinated disclosure timeline

Our default disclosure window is 90 days from the date we acknowledge a report. We aim to ship a fix and a public advisory inside that window. The window may extend if a fix requires a coordinated upgrade across customer deployments, or shorten by mutual agreement if the issue is already being exploited or independently discovered.

Internal severity-driven fix targets:

  • Critical — remote unauthenticated code execution, secret exposure, authentication bypass: fix or workaround within 30 days.
  • High — privilege escalation, sensitive data disclosure to authenticated users: 60 days.
  • Medium — lower-impact issues, defense-in-depth gaps: 90 days.
  • Low — informational, hardening: best-effort, typically rolled into the next minor release.

If we cannot meet the agreed window, we will tell you why and propose a revised date before the deadline lapses.

Safe harbor

We will not pursue legal action or law-enforcement referral against researchers who, in good faith, follow this policy and:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Only access an account, data, or system to the extent necessary to demonstrate the vulnerability.
  • Do not exfiltrate data beyond the minimum needed to prove impact, and delete any retrieved data once the report is filed.
  • Do not affect customer service availability (no denial-of-service testing against production systems without prior written consent).
  • Give us a reasonable opportunity to investigate and remediate before any public disclosure.

This safe harbor applies only to research that targets systems and code in scope above. It does not waive obligations you may have to other parties, and it does not authorize testing against customer-operated deployments without that customer's permission.

Mutual commitments

What we ask of you

  • Do not share the vulnerability publicly until we have coordinated a release.
  • Respect the confidentiality of any information you encounter while researching.
  • Use the contact channels above; do not file the vulnerability as a public GitHub issue.
  • Allow reasonable time for triage, remediation, and customer notification.

What we commit to

  • Acknowledge your report within 1 business day.
  • Provide an initial severity assessment within 5 business days.
  • Keep you informed with regular status updates while we work on a fix.
  • Publish a public advisory once a fix is available, and request a CVE where appropriate.
  • Credit you on our acknowledgements page if you would like attribution.

Bug bounty

IdentityMesh does not currently operate a paid bug-bounty program. We may offer recognition and, in some cases, swag for high-impact findings. If we launch a formal program, the terms will be published on this page.

Found something?

Email us. We will respond within one business day.

security@identitymesh.example