Security First: InkDecoder is committed to maintaining the highest security standards for our document transcription service. We welcome responsible security research and work collaboratively with the security community to protect our users.
1. Security Program Overview
InkDecoder takes security seriously and has established a comprehensive security program to protect our users' data and maintain service integrity. Our security efforts focus on:
- Defensive Security: Protecting against threats and vulnerabilities
- Data Protection: Safeguarding user documents and personal information
- Service Availability: Ensuring reliable and secure access to our transcription services
- Compliance: Meeting regulatory requirements and industry standards
- Transparency: Open communication about security practices and incidents
Our Commitment: We are dedicated to working with security researchers to identify and resolve potential vulnerabilities before they can impact our users.
3. Responsible Disclosure Policy
InkDecoder follows industry best practices for responsible disclosure and encourages security researchers to report vulnerabilities through our coordinated disclosure process.
3.1 Our Commitment to Researchers
We Promise:
- Prompt acknowledgment and investigation of reports
- Regular updates on remediation progress
- Credit and recognition for valid findings
- No legal action against good-faith security research
- Coordination on public disclosure timing
3.2 Researcher Expectations
We ask security researchers to:
- Report vulnerabilities privately before public disclosure
- Allow reasonable time for investigation and remediation
- Avoid accessing, modifying, or deleting user data
- Not perform testing that could degrade service availability
- Respect user privacy and confidentiality
- Follow applicable laws and regulations
3.3 Coordinated Disclosure Timeline
Day 0: Vulnerability reported to InkDecoder security team
Day 1: Initial acknowledgment and triage
Day 7: Assessment completion and remediation plan
Day 30-90: Fix development and deployment (varies by severity)
Post-Fix: Coordinated public disclosure discussion
4. Vulnerability Reporting Process
1
Initial Report Submission
Send a detailed vulnerability report to security@inkdecoder.com including:
- Clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Proof of concept (if applicable)
- Suggested remediation steps
- Your contact information for follow-up
2
Report Acknowledgment
You will receive an acknowledgment within 24 hours containing:
- Unique tracking identifier
- Initial assessment of report validity
- Next steps in the investigation process
- Point of contact for ongoing communication
3
Vulnerability Assessment
Our security team will:
- Reproduce and validate the vulnerability
- Assess severity and potential impact
- Determine affected systems and components
- Develop remediation strategy
- Provide regular status updates
4
Remediation and Resolution
Based on severity, we will:
- Implement appropriate fixes or mitigations
- Test remediation thoroughly
- Deploy fixes to production systems
- Verify vulnerability resolution
- Document lessons learned
5
Disclosure and Recognition
After remediation:
- Coordinate public disclosure timing
- Provide researcher recognition (if desired)
- Share technical details of the fix
- Update security documentation
- Implement additional preventive measures
5. Vulnerability Severity Classification
We use the Common Vulnerability Scoring System (CVSS) v3.1 to classify vulnerability severity:
5.1 Critical Severity 9.0-10.0
Examples:
- Remote code execution without authentication
- Complete system compromise
- Massive data exposure or breach
- Authentication bypass affecting all users
Response Time: 4 hours acknowledgment, 72 hours for initial fix
5.2 High Severity 7.0-8.9
Examples:
- SQL injection with data access
- Privilege escalation vulnerabilities
- Unauthorized data access
- Cross-site scripting affecting sensitive operations
Response Time: 24 hours acknowledgment, 7 days for initial fix
5.3 Medium Severity 4.0-6.9
Examples:
- Cross-site request forgery
- Information disclosure
- Denial of service vulnerabilities
- Insecure direct object references
Response Time: 48 hours acknowledgment, 30 days for fix
5.4 Low Severity 0.1-3.9
Examples:
- Minor information leakage
- Security misconfigurations
- Low-impact denial of service
- Missing security headers
Response Time: 5 business days acknowledgment, 90 days for fix
6. Response Timeline and Process
6.1 Response Time Commitments
Our response times are based on vulnerability severity:
| Severity |
Acknowledgment |
Assessment |
Initial Fix |
| Critical |
4 hours |
24 hours |
72 hours |
| High |
24 hours |
3 days |
7 days |
| Medium |
48 hours |
7 days |
30 days |
| Low |
5 business days |
14 days |
90 days |
6.2 Communication During Response
Throughout the process, we provide:
- Regular status updates (weekly for critical/high, bi-weekly for medium/low)
- Clear communication about remediation timelines
- Technical discussion about fix approaches
- Coordination on disclosure timeline
- Recognition and credit preferences
6.3 Escalation Process
If response times are not met or you need to escalate:
- Contact the Security Team Lead at cso@inkdecoder.com
- Include original report tracking ID and timeline concerns
- For critical issues, use emergency contact: emergency-security@inkdecoder.com
- As a last resort, contact our legal team at legal@inkdecoder.com
7. Security Research Scope
7.1 In-Scope Systems and Services
Authorized Testing Targets:
- InkDecoder web application (*.inkdecoder.com)
- Public API endpoints
- Authentication and session management
- Document upload and processing functionality
- Payment processing integration
- Account management features
7.2 Out-of-Scope Systems
Do NOT Test:
- Third-party services (OpenAI, Stripe, cloud providers)
- Social engineering against employees
- Physical security of offices or data centers
- Denial of service attacks
- Testing that affects other users' data or service availability
- Brute force attacks against authentication
7.3 Testing Guidelines
When conducting security research:
- Use Test Accounts: Create dedicated test accounts for research
- Limit Impact: Avoid actions that could affect service availability
- Respect Privacy: Do not access other users' data or documents
- Document Everything: Keep detailed records of testing methodology
- Stop if Dangerous: Cease testing if you discover critical vulnerabilities
7.4 Prohibited Activities
- Accessing, modifying, or deleting user data
- Disrupting service availability or performance
- Violating user privacy or confidentiality
- Social engineering or phishing attacks
- Physical attacks or unauthorized access
- Testing on production systems without permission
8. Legal Protection for Researchers
8.1 Safe Harbor Provisions
Legal Protection: InkDecoder will not pursue legal action against security researchers who:
- Follow our responsible disclosure policy
- Act in good faith
- Do not violate applicable laws
- Respect user privacy and data
- Avoid service disruption
- Report findings privately first
8.2 Terms and Conditions
By participating in our security research program, you agree to:
- Follow all applicable local, state, and federal laws
- Respect the terms outlined in this policy
- Not exceed the scope of authorized testing
- Maintain confidentiality during the disclosure process
- Cooperate with our security team throughout the process
8.3 Legal Disclaimer
This policy does not:
- Grant permission to violate applicable laws
- Create any contractual relationship
- Waive any legal rights of InkDecoder
- Apply to malicious or unauthorized activities
- Protect against prosecution by third parties
9. Security Researcher Recognition
9.1 Hall of Fame
We maintain a security researcher hall of fame to recognize contributors:
- Public recognition on our website (with permission)
- Credit in security advisories and CVE publications
- LinkedIn recommendations for security professionals
- Conference speaking opportunity referrals
- InkDecoder swag and certificates
9.2 Recognition Criteria
Researchers may receive recognition for:
- Valid vulnerability reports
- High-quality research and documentation
- Professional communication throughout the process
- Adherence to responsible disclosure practices
- Constructive collaboration with our security team
9.3 Anonymity Options
We respect researcher preferences regarding public recognition:
- Full public attribution with name and affiliation
- Partial attribution with handle or organization only
- Anonymous recognition as "Security Researcher"
- No public recognition (private acknowledgment only)
10. Secure Communication
10.1 Encrypted Email Communication
For sensitive vulnerability reports, we support encrypted communication:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Example PGP public key would be inserted here]
This is a placeholder for the actual PGP public key
Contact security@inkdecoder.com for the current key
-----END PGP PUBLIC KEY BLOCK-----
10.2 Secure File Transfer
For large files or sensitive proof-of-concepts:
- Use encrypted email attachments
- Upload to secure file sharing services with encryption
- Contact us for alternative secure transfer methods
- Do not use unencrypted cloud storage or file sharing
10.3 Signal/Secure Messaging
For real-time communication during critical incidents:
- Signal: Available upon request for critical issues
- Other secure messaging platforms by arrangement
- Voice calls for urgent coordination
11. Emergency Security Contacts
11.1 Incident Escalation
Emergency reports automatically escalate to:
- Chief Security Officer
- Chief Technology Officer
- Security Team Lead
- On-call engineering team
- Executive leadership (for critical incidents)
11.2 After-Hours Support
Our security team provides after-hours coverage for:
- Critical and high severity vulnerabilities
- Active security incidents
- Time-sensitive disclosure coordination
- Researcher escalations
12. Compliance and Standards
12.1 Security Standards
InkDecoder's security program aligns with industry standards:
- ISO 27001: Information security management
- NIST Cybersecurity Framework: Risk management approach
- OWASP Top 10: Web application security best practices
- CIS Controls: Critical security controls implementation
- SOC 2: Security, availability, and confidentiality controls
12.2 Regulatory Compliance
Our security practices support compliance with:
- GDPR: European data protection regulation
- CCPA: California Consumer Privacy Act
- SOX: Sarbanes-Oxley financial reporting requirements
- HIPAA: Healthcare information privacy (where applicable)
- PCI DSS: Payment card data security standards
12.3 Security Certifications
Our team maintains relevant security certifications:
- Certified Information Systems Security Professional (CISSP)
- Certified Ethical Hacker (CEH)
- GIAC Security Essentials (GSEC)
- AWS/Cloud security certifications
- Vendor-specific security certifications
12.4 Audit and Assessment
Regular security assessments include:
- Annual third-party security audits
- Quarterly vulnerability assessments
- Continuous penetration testing
- Code security reviews
- Infrastructure security assessments
Thank You: InkDecoder appreciates the security research community's efforts to help keep our service secure. Your responsible disclosure and collaboration help protect our users and improve our security posture.
InkDecoder Security Contact & Responsible Disclosure Policy - Effective as of
Security is a collaborative effort between InkDecoder and the security research community.