Responsible Disclosure Policy

ICON Agility Services is committed to protecting the security and privacy of our customers and the integrity of our systems. We welcome and appreciate the efforts of security researchers who help us identify and address vulnerabilities responsibly.

Scope

This policy applies to security vulnerabilities discovered in systems and assets owned and operated by ICON Agility Services, including:

  • www.iconagility.com and all subdomains
  • ICON Agility Services web applications and APIs
  • Internal tools that are accessible externally

If you are unsure whether a system falls within scope, please contact us before proceeding.

How to Report a Vulnerability

Please submit vulnerability reports to security@iconagility.com. To help us triage and respond quickly, include the following in your report:

  • A clear description of the vulnerability and its potential impact
  • The affected system or URL
  • Step-by-step instructions to reproduce the issue
  • Any supporting evidence (screenshots, proof-of-concept code, HTTP request/response details)
  • Your name or alias and preferred contact method (if you wish to be acknowledged)

You may encrypt sensitive reports using our PGP key. Please request our public key by emailing security@iconagility.com.

Our Commitments

When you submit a report in accordance with this policy, ICON Agility Services commits to the following:

  • Acknowledgment: We will acknowledge receipt of your report within 3 business days.
  • Communication: We will keep you informed of our progress as we investigate and remediate the issue.
  • Collaboration: We may reach out with follow-up questions to better understand or reproduce the issue.
  • Recognition: With your permission, we will acknowledge your contribution on our Security Acknowledgments page.
  • Safe harbor: We will not pursue legal action against researchers who act in good faith under this policy.

Out of Scope

The following activities are outside the scope of this policy and may result in legal action or referral to law enforcement:

  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Social engineering, phishing, or physical attacks against ICON employees or facilities
  • Testing on systems or assets not listed in scope above
  • Accessing, modifying, or deleting data belonging to other users without permission
  • Automated scanning that generates excessive load on our systems
  • Vulnerabilities in third-party services or software that we do not control

Good Faith Requirements

To qualify for safe harbor under this policy, researchers must:

  • Report vulnerabilities promptly and avoid exploiting them beyond what is necessary to demonstrate the issue
  • Avoid accessing, modifying, or exfiltrating any data beyond the minimum required to confirm a vulnerability
  • Not disclose vulnerability details publicly before we have had a reasonable opportunity to remediate (coordinated disclosure)
  • Comply with all applicable laws

Legal

ICON Agility Services will not pursue civil or criminal action against security researchers who discover and report vulnerabilities in good faith, following the guidelines set out in this policy. We consider such research to be a valuable contribution to the security of our customers and systems.

This policy does not grant permission to act in any way that is inconsistent with applicable law. Researchers are expected to comply with all relevant federal, state, and local laws.

Last updated: May 2025. Questions about this policy? Contact security@iconagility.com.