Security

Reporting a vulnerability

We welcome reports from security researchers and the broader community. Please report issues to security@imagilux.org before disclosing publicly. If you require encrypted communication, our PGP key is available at [FILL IN: keyserver URL or fingerprint].

We aim to:

• Acknowledge receipt within two business days.
• Provide an initial assessment within five business days.
• Coordinate disclosure with the reporter once a fix is available.

Scope

In scope:

• This website (*.imagilux.org).
• Published Imagilux products (UMF tooling, BOREAL).
• First-party SDKs and reference implementations.

Out of scope:

• Third-party services we integrate with (report those to the operator directly).
• Self-DoS, social engineering of staff, physical attacks.
• Findings derived from outdated or unsupported product versions.

Safe harbor

Good-faith research conducted in line with this policy will not result in legal action from Imagilux, provided the researcher:

• Avoids privacy violations, service degradation, and data destruction.
• Uses only the minimum interaction needed to demonstrate the issue.
• Coordinates disclosure with us before going public.

Provenance and supply chain

UMF artifacts are signed end-to-end. Customers can verify the provenance of any image they pull. [FILL IN: link to verification documentation, key fingerprints, and SBOM availability.]

Compliance

[FILL IN: any certifications (SOC 2, ISO 27001, FedRAMP) and the auditor / report availability process — or omit this section until a certification is in scope.]

Hall of fame

We acknowledge researchers who have helped strengthen our products. [FILL IN: list reporters who have consented to public credit, in chronological order.]

Contact

General security questions or coordinated-disclosure follow-ups: contact us.