Security Policy

Security is central to everything we build, for our own systems and for our clients'. We follow industry best practices, keep dependencies up to date, and harden infrastructure by default. This page describes how we handle vulnerabilities and how you can responsibly disclose one to us.

If you believe you have found a security vulnerability in any system operated by iinix (including this website), please report it to us before disclosing it publicly. Responsible disclosure gives us time to investigate and fix the issue, protecting users and preventing harm.

Email: security@iinix.com

We aim to acknowledge all reports within 24 hours, provide an initial assessment within 3 business days, and keep you informed as we work toward a fix.

To help us triage and resolve the issue as quickly as possible, please include:

• A clear description of the vulnerability and its potential impact.
• The affected URL, endpoint, or component.
• Step-by-step reproduction instructions.
• Proof-of-concept code or screenshots, if applicable.
• Your suggested severity (low / medium / high / critical).

You are welcome to submit reports anonymously. If you'd like credit when we publish an advisory or fix, please include how you'd like to be credited.

In scope for responsible disclosure:

• This website and any iinix-operated subdomains.
• Authentication and session handling flaws.
• Injection vulnerabilities (SQL, command, template, etc.).
• Cross-site scripting (XSS) and cross-site request forgery (CSRF).
• Insecure direct object references and broken access control.
• Sensitive data exposure.

Out of scope:

• Denial-of-service attacks (DoS/DDoS).
• Automated scanning, fuzzing, or brute-force testing without prior agreement.
• Social engineering of iinix staff or clients.
• Physical security.
• Issues affecting third-party services or infrastructure we do not control.
• Theoretical vulnerabilities without a demonstrated impact.

If you report a vulnerability in good faith and follow this policy, we commit to:

• Not pursuing legal action against you for the report.
• Working with you to understand and confirm the issue.
• Notifying you when the vulnerability has been resolved.
• Crediting you publicly (if you wish) once the issue is fixed.

We ask in return that you do not access, modify, or delete any data beyond what is needed to demonstrate the vulnerability, and that you do not disclose the issue to others until we have had a reasonable opportunity to fix it.

Measures currently in place on this website and our infrastructure:

• HTTPS enforced with HSTS (in production).
• Django's built-in CSRF, XSS, and clickjacking protections enabled.
• Content Security Policy and X-Frame-Options: DENY headers.
• Secure and HttpOnly session cookies (in production).
• Honeypot and server-side validation on all user-submitted forms.
• Dependencies reviewed and updated regularly.
• Admin interface restricted and not exposed to the public internet in production.

Security disclosures: security@iinix.com

General privacy questions: Privacy Policy