Legal / Security

Responsible Disclosure Policy

We welcome good-faith security research. If you discover a vulnerability, we want to know — and we'll work with you to fix it quickly.

Last updated: January 15, 2026

Safe Harbor: Melhousen Solutions will not pursue civil or criminal legal action against researchers who discover and report security vulnerabilities in good faith, in accordance with this policy. We consider good-faith security research to be a public benefit and will work collaboratively with researchers throughout the disclosure process.

Introduction

Melhousen Solutions is committed to maintaining the security of our systems, products, and the data they hold. Despite our best efforts, vulnerabilities may occasionally exist. We value the work of the security research community and believe responsible disclosure improves security for everyone.

This policy describes the scope of our bug bounty program, what constitutes responsible disclosure, how to report a vulnerability, and what you can expect from us in return.

Scope — In Scope

The following systems and assets are within scope for security research:

  • melhousensolutions.com and all subdomains we own and operate
  • ConsoleSentinel — QA monitoring engine API and web interface
  • ImaraForge — cybersecurity platform API and web application
  • Any other system listed at www.melhousensolutions.com that we own and operate

Scope — Out of Scope

The following are explicitly out of scope and testing them may violate our terms or applicable law:

  • Third-party services, APIs, or libraries integrated into our products (report those to their respective vendors)
  • Physical security attacks (social engineering, physical access)
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Automated scanning or brute-force attacks that degrade system performance
  • Vulnerabilities requiring MITM or physical access to a user's device
  • Issues in outdated browsers or platforms we do not support
  • Rate-limiting issues that do not materially impact security
  • Systems belonging to third-party providers (Azure, Stripe, Microsoft, etc.)

What Constitutes Good-Faith Research

To qualify for safe harbor protections, your research must:

  • Only target systems in scope
  • Avoid accessing, modifying, or exfiltrating data belonging to other users
  • Avoid disrupting production availability or degrading system performance
  • Not leverage the vulnerability for any purpose beyond demonstrating it exists
  • Not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it (coordinated disclosure)
  • Immediately report the vulnerability to us upon discovery

How to Submit a Report

Send vulnerability reports to security@melhousensolutions.com. For sensitive reports requiring encryption, request our PGP public key in your initial message.

A high-quality report includes:

  • Summary — A clear, concise description of the vulnerability and its type (e.g., XSS, IDOR, SSRF)
  • Affected system — URL, endpoint, or product component
  • Steps to reproduce — A minimal, reliable proof-of-concept or step-by-step instructions
  • Impact assessment — What data or actions could an attacker access or perform?
  • Screenshots or recordings — Optional but helpful for complex vulnerabilities
  • Your contact information — So we can follow up with you

Our Response Commitments

  • 2 business daysWe will acknowledge receipt of your report and assign it a tracking number.
  • 7 business daysWe will provide an initial assessment of severity and whether we can reproduce the issue.
  • 30 days (critical)Critical and High severity vulnerabilities will be remediated within 30 days of confirmation.
  • 90 days (others)Medium and Low severity vulnerabilities will be remediated within 90 days of confirmation.

Coordinated Disclosure

We follow a coordinated disclosure model. We ask that you do not publicly disclose vulnerability details until:

  • We have confirmed and remediated the vulnerability, OR
  • 90 days have passed since your initial report, OR
  • We have mutually agreed to an earlier disclosure date

If you feel our response is inadequate or untimely, please contact us at security@melhousensolutions.com before disclosing publicly. We are committed to working transparently with researchers.

Recognition

We do not currently offer monetary bug bounties. However, with your permission, we will recognize security researchers who make significant, valid disclosures in our Security Hall of Fame (published on this site). Researchers may also receive Melhousen Solutions merchandise and early access to products.

Contact

For any questions about this policy or to submit a report:

This policy was last updated January 15, 2026 and supersedes all prior versions.