Security
Security Disclosure Policy
We welcome responsible disclosure of security vulnerabilities in IMCS platform software.
Last updated: 6 April 2026
Scope
This policy covers security vulnerabilities in the IMCS platform software:
- Core messaging gateway service
- Authentication service
- iOS, Android, Windows, and Web client applications
- Cryptographic protocol implementation
- Admin console
This policy does NOT cover:
- Specific deployment locations, configurations, or network details
- Customer data or agency infrastructure
- Physical security of server facilities
- Social engineering or phishing attacks against personnel
How to Report
Email: security@imcs.gov
Encrypt your report:
PGP Key Fingerprint: A043 D5E4 3CB3 3A65 5343 4C0D 7B7F 0AA7 4D1D 3498
Download: pgp-key.asc
What to include in your report:
- Description of the vulnerability
- Steps to reproduce (as detailed as possible)
- Affected component and version
- Potential impact assessment
- Any proof-of-concept code (optional but helpful)
- Your suggested remediation (optional)
Our Commitments
- Acknowledge receipt within 2 business days
- Provide an initial triage assessment within 7 business days
- Keep you informed of remediation progress
- Credit you in our Security Hall of Fame (with your permission)
- Not pursue legal action against researchers acting in good faith
Coordinated Disclosure Timeline
Day 0
Report received
Day 7
Initial assessment
Day 90
Fix deployed (target)
Public
Disclosure
We aim to resolve Critical and High severity vulnerabilities within 90 days. We may request an extension for complex issues — we will always communicate our timeline openly.
Out of Scope
The following are NOT in scope for this programme:
- Denial of service (DoS/DDoS) attacks
- Social engineering of IMCS personnel
- Physical attacks on hardware
- Vulnerabilities requiring physical access to the device
- Vulnerabilities in third-party components not controlled by IMCS (report these to the respective vendor)
- Issues in already-known outdated software versions
Safe Harbour
We will not pursue legal action against security researchers who: report vulnerabilities through this programme in good faith, avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability, and do not publicly disclose vulnerabilities before the agreed disclosure date.
Severity Response Times
| Severity | Definition | Response Time | Patch Target |
|---|---|---|---|
| CriticalCVSS 9.0–10.0 | Full system compromise possible | 1 business day | 14 days |
| HighCVSS 7.0–8.9 | Significant exposure | 2 business days | 30 days |
| MediumCVSS 4.0–6.9 | Notable weakness | 5 business days | 90 days |
| LowCVSS < 4.0 | Minor issue | 10 business days | Next release |