Security
Vulnerability Disclosure Policy
Exosys Sàrl builds security software, and we hold our own products to the standard we ask of others. If you believe you have found a security vulnerability in EnforceGate vX or in enforcegate.com, we want to hear from you. This policy explains how to report it, what is in scope, and what you can expect from us in return.
It complements the group-wide Exosys Vulnerability Disclosure Policy, which covers all Exosys properties; this page is the EnforceGate-specific entry point.
Report a vulnerability
Email us directly — please use this channel rather than support, sales, or social media. For sensitive details, encrypt your message to our PGP key. We read reports in English and French.
0x10ED57003F73C2B4 —
public key
· security.txt
1 What to include
The more detail you provide, the faster we can validate and fix the issue. Where possible, please include:
- A clear description of the vulnerability and the type of issue.
- Step-by-step reproduction instructions, or a proof of concept.
- The affected component and, for the product, the version or image tag (or the affected URL for the website).
- The potential impact — what an attacker could achieve.
- Any suggested remediation (optional).
- How we can reach you, and whether you would like to be credited once the issue is resolved.
2 Scope
In scope
- enforcegate.com and its subdomains.
- The EnforceGate vX product — engine, connector, captive portal and TLS terminator — as shipped in the official Docker images and virtual-appliance builds.
- Weaknesses in default configurations shipped by Exosys, and in Exosys-published APIs.
Out of scope
- Third-party services and infrastructure not operated by Exosys.
- Social engineering or phishing.
- Denial-of-service or volumetric attacks.
- Physical attacks on premises or hardware.
- Findings needing an already-compromised host or operator-level access.
- Non-default, operator-chosen insecure configurations.
- Best-practice or header gaps with no demonstrated impact, or scanner output without a proof of concept.
EnforceGate vX is self-hosted: the security of an operator's own deployment, network and configuration is their responsibility. Flaws in the product as we ship it are in scope.
3 What to expect from us
We keep you informed of meaningful progress, and we treat your report as confidential.
4 Coordinated disclosure
Please give us a reasonable opportunity to investigate and remediate before disclosing any details publicly. We will work with you on disclosure timing and would rather agree it together than impose a fixed deadline. Kindly hold off on public disclosure until a fix has been released or we have mutually agreed otherwise.
5 Safe harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorised. We will not pursue or support legal action against you for accidental, good-faith violations, and we will work with you to understand and resolve the issue quickly.
This protection does not extend to actions that intentionally harm Exosys, our customers or their users, or that breach applicable law.
6 Researcher guidelines
To keep your research within good-faith, authorised testing, please:
- Only interact with accounts and data that belong to you, or with explicit permission.
- Do not access, modify, destroy or exfiltrate data that is not yours, and stop and report as soon as you confirm a vulnerability.
- Do not degrade, interrupt or run denial-of-service tests against any service.
- Avoid privacy violations and disruption to other users.
- Keep the details of any vulnerability confidential until it is resolved and disclosure is coordinated.
7 Recognition
We do not currently run a paid bug-bounty programme. We are, however, genuinely grateful to the researchers who help us keep EnforceGate secure, and — with your permission — we are glad to credit you publicly once an issue has been resolved.