Shipping

Iceslab v1.0 panel - multi-core VPN infrastructure for operators.

Open Iceslab

icecompany.tech/security

/ Legal|Document 03 · security|v1 · 14 May 2026

Security

If you've found a vulnerability in our software, infrastructure, or this site — tell us. We answer. We fix. We credit you. This is how.

Our side of the bargain

A safe harbour,
in plain English.

  • We won't sue you for honest research

    As long as you stay within the scope below and don't degrade service, you're acting in good faith.

  • We'll acknowledge fast and update you weekly

    No black holes. If we drop off, write again — we have not "decided to ignore".

  • We credit you publicly, unless you'd rather not

    Hall of fame below. Name, handle, link — your call.

  • We post a public write-up after the fix ships

    Field notes get the story. Customers + community learn from it. You're co-author if you want to be.

Scope

What's in,
what's out.

Two columns. Bugs in column 01 are eligible for credit and a thank-you. Targets in column 02 are someone else's problem or off-limits.

In scope — please test

  • +

    icecompany.tech (this site)

    XSS, server misconfig, dependency CVEs

  • +

    Iceslab.icecompany.tech & staging.iceslab

    Auth, panel UI, API endpoints, license server

  • +

    Iceslab open-core repo

    Code-level bugs in protocol runners, supervisor, CLI

  • +

    Icepath Mini App

    Subscription logic, region routing, config delivery

  • +

    Icepath VPN nodes

    Auth bypass, traffic leak, log-policy violations

  • +

    Email / DNS / mail infrastructure

    SPF/DKIM/DMARC, DNS hijack vectors

Out of scope — don't test

  • Volumetric DoS / DDoS

    Don't degrade service to prove a point

  • Social-engineering our team

    Don't phish us, don't pretext, don't bribe

  • Operator-deployed Iceslab instances

    Test against the operator who runs it, not us

  • Third-party services — Telegram, Vercel, Hetzner

    Their own disclosure programs apply

  • Physical access to our offices or staff homes

    No, just no

  • Other users' accounts or data

    Use a test account; we'll spin one up for you

How disclosure flows

Five steps,
no surprises.

Median fix time

11 days

From first report to deployed fix. Critical sevs ship faster.

  1. 01

    Write to security@icecompany.tech

    Include: what, where, how to repro. Screenshots, scripts, requests/responses — whatever you have. PGP encryption is appreciated for sensitive bugs.

  2. 02

    We acknowledge within 1 working day

    A real engineer reads your report and writes back with a ticket ID. No autoresponder.

  3. 03

    Triage and severity in 3 working days

    We classify the bug, agree on a fix window, and let you know if there's anything we'd push back on. You're in the loop.

  4. 04

    We fix, ship, and verify with you

    Critical issues: emergency patch within 72 hours. Everything else: scheduled into the nearest release. We send you a build to verify.

  5. 05

    Public write-up, after the fix is out

    We publish to field notes once the fix is deployed broadly. You're credited (or anonymous, your choice) and can co-author the technical breakdown.

PGP key

Encrypt sensitive bugs.

Key fingerprintA6F7 3D1E 9B40 C82F ── 5E14 88B0 77C3 A901 E2D5
Created2026-01-14 · expires 2028-01-14
Downloadicecompany.tech/.well-known/security.asc

Pinned at keys.openpgp.organd the fingerprint is committed to every release tag in the Iceslab repo.

Hall of fame

People who already helped.

  • 2026-04@nyx-researchIceslab — admin token leak via TRACE
  • 2026-03Marina A.Icepath — Mini App CSP bypass
  • 2026-02anonymousIceslab — race condition in key rotation
  • 2026-02@k.lemonSite — DKIM misalignment
Write-ups · soon