Last updated · January 16, 2026
At 5E Intel, we take the security of our platform seriously. We welcome security researchers who help us identify vulnerabilities responsibly. This policy outlines how to report security issues and what you can expect from us.
1. Scope
1.1 In-Scope Systems
The following systems and services are in scope for security testing:
- 5eintel.com — Main web application
- app.5eintel.com — Application platform (if applicable)
- api.5eintel.com — API endpoints (if applicable)
- Mobile applications (if any)
1.2 Out-of-Scope
The following are explicitly out of scope:
- Physical security testing
- Social engineering attacks against employees or customers
- Attacks against third-party services we use
- Denial of service (DoS/DDoS) attacks
- Spam or phishing campaigns
- Third-party hosted services (Stripe, email providers, etc.)
2. Rules of Engagement
When conducting security research, please adhere to the following rules:
Do
- Report vulnerabilities promptly after discovery
- Provide sufficient detail to reproduce the issue
- Make a good faith effort to avoid privacy violations and data destruction
- Only interact with accounts you own or have explicit permission to test
- Stop testing and report immediately if you access sensitive data
- Give us reasonable time to fix issues before public disclosure
Don’t
- Access, modify, or delete data belonging to other users
- Execute denial of service attacks
- Send unsolicited emails to users (spam/phishing)
- Perform social engineering against staff or customers
- Use automated scanning tools that generate excessive traffic
- Publicly disclose vulnerabilities before we’ve had time to fix them
- Attempt to access internal systems, networks, or infrastructure
- Test on production systems during business hours without coordination
3. Reporting Process
3.1 How to Report
Please send vulnerability reports to:
3.2 What to Include
Please include the following information in your report:
- Description: Clear description of the vulnerability
- Impact: Potential impact if exploited
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: Screenshots, videos, or code demonstrating the vulnerability
- Environment: Browser, OS, and any relevant configuration
- Affected URL(s): Specific endpoints or pages affected
- Your Contact Info: Email address for follow-up questions
3.3 Encryption (Optional)
For sensitive reports, you may encrypt your message using our PGP key. Contact security@5eintel.com to request our public key.
4. Our Commitment
4.1 Response Timeline
| Initial Acknowledgment | Within 5 business days |
|---|
| Triage and Assessment | Within 10 business days |
|---|
| Status Update | Every 2 weeks until resolution |
|---|
| Resolution | Varies based on severity (typically 30–90 days) |
|---|
4.2 Safe Harbor
Safe Harbor Statement: We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following this policy. We consider security research conducted in accordance with this policy to be authorized.
We commit to:
- Not initiate legal action against researchers who follow this policy
- Work with you to understand and resolve the issue quickly
- Keep you informed about the status of your report
- Credit you (if desired) when we publicly disclose the vulnerability
4.3 Credit and Recognition
We believe in recognizing the contributions of security researchers. If you’d like to be credited:
- We can acknowledge you in our security advisories (with your permission)
- We can add you to our Hall of Fame (if we create one)
- We can provide a reference letter confirming your responsible disclosure
5. What We Don’t Offer
5.1 Bug Bounty
At this time, we do not offer monetary rewards for vulnerability reports. We are a small team and appreciate researchers who report issues to help make our platform more secure for everyone.
5.2 Coordinated Disclosure
We follow a coordinated disclosure model:
- We ask that you do not publicly disclose vulnerabilities until we’ve had reasonable time to address them
- We aim to fix critical issues within 30 days, and other issues within 90 days
- If we cannot fix an issue within the expected timeframe, we’ll work with you on an appropriate disclosure timeline
- We will notify you before we publicly disclose any issue you reported
6. Qualifying Vulnerabilities
6.1 Examples of Qualifying Issues
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection
- Authentication or session management flaws
- Authorization bypass
- Server-Side Request Forgery (SSRF)
- Remote code execution
- Information disclosure of sensitive data
- Insecure direct object references
6.2 Non-Qualifying Issues
The following are generally not considered qualifying vulnerabilities:
- Missing HTTP security headers that don’t lead to direct exploitation
- Clickjacking on pages without sensitive actions
- Self-XSS (XSS that only affects your own session)
- Rate limiting issues that don’t pose a security risk
- Disclosure of non-sensitive information (software versions, etc.)
- Issues requiring physical access to a user’s device
- Issues in third-party libraries without demonstrated impact
- Password policy suggestions
- Email spoofing (SPF/DKIM/DMARC) issues without demonstrated impact
- Theoretical vulnerabilities without proof of concept
7. Contact
Security reports: security@5eintel.com
Questions about this policy: security@5eintel.com
Related
Thank you for helping keep 5E Intel and our users safe. We appreciate the time and effort security researchers put into making the internet more secure.
