Report it privately
Email security@identrail.com or open a private security advisory on GitHub. Encrypt with our PGP key if you prefer; key fingerprint is in the security.txt file at the site root.
Responsible disclosure
Find a security issue? Tell us privately. We'll fix it and credit you.
Identrail is a security product. We hold ourselves to the standard we ask of every vendor we evaluate: clear contact, fast triage, public credit, no legal threats.
What happens after you report.
We acknowledge in 72 hours
You will hear from a human within three business days, with a tracking ID and a named owner on our side. No silent triage.
We triage, scope, and fix
For confirmed issues, we agree on a fix window — typically 14 days for high severity, 30 days for medium. You get visibility into the work.
Coordinated disclosure
We publish a security advisory crediting you (or anonymously, if you prefer) once a fix has shipped. We do not push for embargoes longer than necessary.
In scope
- · identrail.com and any *.identrail.com subdomain
- · The Identrail open-source repo and packaged releases
- · Hosted Identrail tenants on app.identrail.com
Out of scope
- · Social engineering of Identrail employees
- · Physical security testing of Identrail facilities or staff
- · Denial-of-service attacks
- · Vulnerabilities in third-party software unless they materially affect Identrail
Safe-harbour
We will not pursue legal action against good-faith security research conducted within the scope above. Please make a reasonable effort to avoid privacy violations, data destruction, and service interruption, and stop and contact us if you encounter user data during testing.