Public alpha

Iceslab v0.1.8 - open-source operator panel under AGPL-3.0. First publish 2026-05-19, latest v0.1.8 on 2026-06-20.

Open Iceslab

icecompany.tech/security

/ Legal|Document 03 · security|v1 · 14 May 2026

Security

If you've found a vulnerability in our software, infrastructure, or this site - tell us. We answer. We fix. We credit you. This is how.

Our side of the bargain

A safe harbour,
in plain English.

  • We won't sue you for honest research

    As long as you stay within the scope below and don't degrade service, you're acting in good faith.

  • We'll acknowledge fast and update you weekly

    No black holes. If we drop off, write again - we have not "decided to ignore".

  • We credit you publicly, unless you'd rather not

    Hall of fame below. Name, handle, link - your call.

  • We post a public write-up after the fix ships

    Field notes get the story. Customers + community learn from it. You're co-author if you want to be.

Scope

What's in,
what's out.

Two columns. Bugs in column 01 are eligible for credit and a thank-you. Targets in column 02 are someone else's problem or off-limits.

In scope - please test

  • +

    icecompany.tech (this site)

    XSS, server misconfig, dependency CVEs

  • +

    Iceslab panel + staging instances

    Auth, panel UI, API endpoints

  • +

    Iceslab open-core repo

    Code-level bugs in protocol runners, supervisor, CLI

  • +

    Icepath Mini App

    Subscription logic, region routing, config delivery

  • +

    Icepath VPN nodes

    Auth bypass, traffic leak, log-policy violations

  • +

    Email / DNS / mail infrastructure

    SPF/DKIM/DMARC, DNS hijack vectors

Out of scope - don't test

  • Volumetric DoS / DDoS

    Don't degrade service to prove a point

  • Social-engineering our team

    Don't phish us, don't pretext, don't bribe

  • Operator-deployed Iceslab instances

    Test against the operator who runs it, not us

  • Third-party services - Telegram and our hosting providers

    Their own disclosure programs apply

  • Physical access to our offices or staff homes

    No, just no

  • Other users' accounts or data

    Use a test account; we'll spin one up for you

How disclosure flows

Five steps,
no surprises.

  1. 01

    Write to security@icecompany.tech

    Include: what, where, how to repro. Screenshots, scripts, requests/responses - whatever you have.

  2. 02

    We acknowledge within 1 working day

    A real engineer reads your report and writes back with a ticket ID. No autoresponder.

  3. 03

    Triage and severity in 3 working days

    We classify the bug, agree on a fix window, and let you know if there's anything we'd push back on. You're in the loop.

  4. 04

    We fix, ship, and verify with you

    Critical issues: emergency patch within 72 hours. Everything else: scheduled into the nearest release. We send you a build to verify.

  5. 05

    Public write-up, after the fix is out

    We publish to field notes once the fix is deployed broadly. You're credited (or anonymous, your choice) and can co-author the technical breakdown.

Hall of fame

Be the first.

No reports yet.

Find something real and you'll be credited here - by name, handle, or anonymous, your call.