Iceslab v0.1.8 - open-source operator panel under AGPL-3.0. First publish 2026-05-19, latest v0.1.8 on 2026-06-20.
Open Iceslab →icecompany.tech/security
Security
If you've found a vulnerability in our software, infrastructure, or this site - tell us. We answer. We fix. We credit you. This is how.
A safe harbour,
in plain English.
- ✓
We won't sue you for honest research
As long as you stay within the scope below and don't degrade service, you're acting in good faith.
- ✓
We'll acknowledge fast and update you weekly
No black holes. If we drop off, write again - we have not "decided to ignore".
- ✓
We credit you publicly, unless you'd rather not
Hall of fame below. Name, handle, link - your call.
- ✓
We post a public write-up after the fix ships
Field notes get the story. Customers + community learn from it. You're co-author if you want to be.
What's in,
what's out.
Two columns. Bugs in column 01 are eligible for credit and a thank-you. Targets in column 02 are someone else's problem or off-limits.
In scope - please test
- +
icecompany.tech (this site)
XSS, server misconfig, dependency CVEs
- +
Iceslab panel + staging instances
Auth, panel UI, API endpoints
- +
Iceslab open-core repo
Code-level bugs in protocol runners, supervisor, CLI
- +
Icepath Mini App
Subscription logic, region routing, config delivery
- +
Icepath VPN nodes
Auth bypass, traffic leak, log-policy violations
- +
Email / DNS / mail infrastructure
SPF/DKIM/DMARC, DNS hijack vectors
Out of scope - don't test
- ✕
Volumetric DoS / DDoS
Don't degrade service to prove a point
- ✕
Social-engineering our team
Don't phish us, don't pretext, don't bribe
- ✕
Operator-deployed Iceslab instances
Test against the operator who runs it, not us
- ✕
Third-party services - Telegram and our hosting providers
Their own disclosure programs apply
- ✕
Physical access to our offices or staff homes
No, just no
- ✕
Other users' accounts or data
Use a test account; we'll spin one up for you
Five steps,
no surprises.
- 01
Write to security@icecompany.tech
Include: what, where, how to repro. Screenshots, scripts, requests/responses - whatever you have.
- 02
We acknowledge within 1 working day
A real engineer reads your report and writes back with a ticket ID. No autoresponder.
- 03
Triage and severity in 3 working days
We classify the bug, agree on a fix window, and let you know if there's anything we'd push back on. You're in the loop.
- 04
We fix, ship, and verify with you
Critical issues: emergency patch within 72 hours. Everything else: scheduled into the nearest release. We send you a build to verify.
- 05
Public write-up, after the fix is out
We publish to field notes once the fix is deployed broadly. You're credited (or anonymous, your choice) and can co-author the technical breakdown.
Be the first.
No reports yet.
Find something real and you'll be credited here - by name, handle, or anonymous, your call.