Overview

Info Tech Operating, LLC DBA Infotech (Infotech) understands the value of partnering with the greater security community to provide a safe and secure experience for all of our customers. If you are a security researcher or expert and believe you’ve identified security-related issues with one or more Infotech’s digital assets (websites or applications), we would appreciate you disclosing it to us responsibly.

Authorization & Safe Harbor

To encourage responsible disclosure, Infotech will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meet these requirements and guidelines.

This Safe Harbor applies only if your activity:

• Is limited to the scope and testing guidelines set forth below.
• Does not access customer or employee personal information, customer data, or Infotech confidential information.
• Does not degrade the user experience, disrupt production systems, or destroy data on ANY Infotech digital asset.

Important: The Safe Harbor Policy excludes any residents who reside in countries currently under U.S. sanctions, including but not limited to: the Democratic People’s Republic of Korea, Islamic Republic of Iran, People’s Republic of China, Republic of Cuba, Republic of the Sudan, Russian Federation, and Syrian Arab Republic.

Unauthorized Activity

To protect our systems, users, and data, the following activities are strictly prohibited and fall outside the protection of Safe Harbor:

• Social Engineering: Phishing, vishing, or any attempt to deceive Infotech employees or users.
• Physical Attacks: Attempting to gain physical access to Infotech offices, data centers, or facilities.
• Denial of Service: Any activity that degrades, disrupts, or damages services (e.g., DoS/DDoS, brute force, or mass automated testing).
• Resource Exhaustion: Sending massive amounts of traffic to exhaust our system resources.
• Lateral Movement: Attempting to “pivot” to other systems or accessing data beyond what is strictly necessary to prove the vulnerability.

Testing Guidelines

When conducting your research, we ask that you:

• Identify your traffic: Include the HTTP header X-ITIRESEARCH: UNIQUE ID (using a uniquely identifiable string, such as a common username) in your requests .
• Protect Data: Do not access, modify, or destroy data that does not belong to you. If you accidentally access such data, stop testing and report the issue immediately.
• Clean Up: Securely delete any Infotech information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research after submitting your report.

How to Report

Please send your report to disclosure@infotechinc.com 

Report Requirements: To help us validate and resolve the issue quickly, please include:

• A brief summary of the vulnerability.
• Your “testing IP address” (to help us rule out adversary traffic).
• Clear reproduction steps and screenshots/screen captures .
• A list of all security researchers involved.

Note: Researchers may not use a proxy to submit reports to Infotech.

What to Expect After Submitting a Report

We are committed to open communication. Here is how we handle your report:

• Confirmation: We will review your submission and aim to confirm the validity of the report within seven (7) days.
• Remediation: If the vulnerability is valid, our team will work to apply a fix. We will prioritize issues based on severity and risk.
• Notification: Once the vulnerability is resolved, we will notify you to confirm the fix.

Disclosure Guidelines

Infotech is committed to fixing vulnerabilities in a timely manner. To protect our customers:

• No Public Disclosure: You may not publicly disclose the vulnerability (on social media, blogs, conferences, etc.) until Infotech has remediated the issue AND you have received explicit written approval from us.
• No Automatic Release: We do not offer an automatic release date (e.g., “90-day disclosure”). Disclosure is at the sole discretion of Infotech.
• Proprietary Data: You may never disclose non-public data (e.g., customer PII) discovered during your testing.

Scope

The following domains are in scope for this program:

• *.infotechinc.com 
• *.infotechfl.com 
• *.infotechhosting.com
• *.infotechhosting.net
• *.infotechfl.com

Out of Scope Vulnerabilities

We do not accept reports for the following unless exploitability is clearly demonstrated:

• Denial of Service (DoS)/Distributed Denial of Service (DDoS) issues.
• Attacks requiring MITM or physical access to a user’s device.
• Clickjacking/UI redressing with no practical security impact.
• Missing best practices (e.g., SPF/DMARC, missing cookie flags, SSL/TLS configuration).
• Self-XSS (must be exploitable via reflected, stored, or DOM-based attacks).
• Content spoofing and text injection issues without showing an attack vector.
• Software version disclosure or use of known-vulnerable libraries (e.g., OpenSSL) without proof of exploitation.
• Mobile app submissions related to OAuth secret leaks or requiring rooted/jailbroken devices.
• Password and account recovery policies, such as reset link expiration or password complexity.

Third-Party Systems

This policy applies only to systems owned and operated by Infotech. If you are unable to distinguish between an Infotech-owned asset and a third-party service (e.g., a SaaS provider, hosting partner, or analytics vendor), you must assume it is out of scope.

Infotech cannot authorize security research on third-party infrastructure. If you discover an issue that affects a third-party vendor used by Infotech, please report it directly to that vendor.

Intellectual Property

By submitting a report to Infotech, you grant us a perpetual, worldwide, royalty-free, non-exclusive license to use your submission to correct vulnerabilities, improve our products, and protect our users. You agree that you are submitting this report voluntarily and that you have no expectation of payment or compensation.

Program Terms

• Compliance with Laws: Your testing must comply with all applicable laws.
• Employment: Participation in this program is not an offer of employment.
• Modifications: Infotech reserves the right to modify or cancel this program at any time without prior notice.

Compensation

This Vulnerability Disclosure Program is strictly voluntary. Infotech does not offer financial rewards, compensation, or bounties (also known as: bug bounties, rewards) for accepted vulnerability reports.