Vulnerability Disclosure Policy
Version 1.0 · Last updated June 2026
1. Introduction
Internetivo Ltd ("Internetivo", "we", "us", "our") values the work of the security research community and supports coordinated, good-faith vulnerability disclosure for the IVO work marketplace platform ("Platform"). This Vulnerability Disclosure Policy ("Policy") explains how to report a security vulnerability, what we ask of researchers, and the safe-harbour protection we offer for research conducted within its rules.
This Policy forms part of, and should be read with, the Terms of Service and the Acceptable Use Policy. Security testing carried out within this Policy is authorised and is treated as an exception to the prohibition on security probing in the Acceptable Use Policy.
2. Scope
2.1 In Scope
This Policy covers Internetivo's own public-facing production services that you can reach through the official IVO web application, public API, and official mobile application, where the vulnerability concerns a genuine security weakness in services operated directly by Internetivo.
2.2 Out of Scope
The following are out of scope and must not be tested under this Policy:
- Services, instances, and infrastructure operated by third parties, including our payment processor, our identity-verification provider, hosting and content-delivery providers, and any other sub-processor.
- Federated Nodes and any environment operated by an independent node operator.
- Other Users' accounts, data, or content.
- Physical security, and the personnel, offices, or staff of Internetivo or its providers.
- Social engineering of any person, including phishing and pretexting.
2.3 Typically Non-Qualifying Reports
Reports that generally do not qualify include findings without a realistic security impact, missing best-practice hardening that is not exploitable, theoretical issues without a working proof of concept, reports generated solely by automated scanners without validation, and issues that require unrealistic user interaction or already-compromised devices.
To protect Users and avoid aiding attackers, this Policy does not publish details of Internetivo's internal systems, architecture, or defences. Stay within the externally observable behaviour of the in-scope services.
3. How to Report
Send your report to a security ticket. Please include:
- A clear description of the vulnerability and the affected service or endpoint.
- The steps required to reproduce it, with a minimal proof of concept.
- An assessment of the potential impact.
- Any supporting material, such as request and response excerpts or screenshots, with sensitive data redacted.
- A way for us to contact you for follow-up.
Please submit reports in English where possible and avoid including unnecessary personal data.
4. Our Commitments
We aim, on a best-efforts basis, to:
- Acknowledge receipt of your report within 5 business days.
- Provide an initial assessment or triage outcome within 10 business days.
- Keep you reasonably informed of progress toward remediation.
- Remediate validated vulnerabilities within a timeframe appropriate to their severity, prioritising the most serious issues.
- Credit you for your discovery if you wish, once the issue is resolved.
These are targets, not guarantees, and may vary with the complexity and severity of the issue.
5. Safe Harbour
Internetivo will not pursue or support legal action against you for security research and vulnerability disclosure that is carried out in good faith and in full compliance with this Policy. Activity that complies with this Policy is considered authorised conduct, and we will not treat it as a breach of our Acceptable Use Policy or as unauthorised access under applicable computer-misuse and unauthorised-access laws. To the extent we are lawfully able, we waive any claim against you arising from compliant, good-faith research, and we will make clear to any relevant authority that your authorised testing was conducted with our permission under this Policy.
This safe harbour applies only while you remain within the rules in Section 6 and within scope. It does not extend to third parties, and it cannot waive the rights of third parties, including our providers, node operators, or other Users. If legal action is brought by a third party for activity that complied with this Policy, we will, where appropriate, make clear that your conduct was authorised.
6. Rules for Researchers
To remain within this Policy and its safe harbour, you must:
- Stay within the in-scope services and respect all out-of-scope exclusions.
- Make a good-faith effort to avoid privacy violations, and not access, modify, exfiltrate, retain, or destroy data that does not belong to you. If you encounter another person's data, stop and report it.
- Not degrade, disrupt, or interrupt the service, and not perform denial-of-service or load testing.
- Not use social engineering, phishing, or physical intrusion.
- Use only your own test accounts and data, and not interact with accounts you do not own or control.
- Limit testing to what is necessary to demonstrate the vulnerability, and avoid automated, high-volume, or destructive techniques.
- Keep the vulnerability confidential and not disclose it publicly until Internetivo has remediated it or has agreed in writing that you may disclose. We follow a coordinated-disclosure approach and will work with you on timing.
- Comply with all applicable laws.
7. Recognition, Not Bounty
Internetivo does not operate a paid bug-bounty program and does not promise monetary reward for reports. We may, at our sole discretion and where appropriate, offer recognition or acknowledgement for valid, original, good-faith reports. Any recognition is optional and discretionary.
8. Violation of This Policy
If you do not follow the rules in this Policy, the safe harbour in Section 5 does not apply to your activity, and Internetivo reserves all rights and remedies available under the Terms of Service, the Acceptable Use Policy, and applicable law. If you are ever unsure whether a specific action is permitted, contact us by opening a security ticket and ask before proceeding.
9. Changes to This Policy
Internetivo may update this Policy from time to time. The current version is published at the address below and applies to reports submitted after its effective date.
Experimental Features, Assumption of Risk, and Waiver
The Platform and its features are provided on an "as is" and "as available" basis and may include experimental, beta, preview, or in-development features that may be incomplete, may change or be withdrawn at any time, may not work as intended, and may produce errors. You use the Platform and any such feature at your own risk, and you are responsible for keeping your own backups of important data and files. Full detail is in the Experimental Features and Beta Disclaimer.
To the maximum extent permitted by applicable law, Internetivo gives no warranty of any kind and has no liability for, and you release Internetivo from and waive any claim arising from, software bugs or defects, errors, downtime or unavailability, loss of or damage to data or files, failed or delayed transactions, or any other technical issue, including any direct, indirect, or consequential loss. You agree to report any bug, defect, or issue, and any feedback, by opening a support ticket; doing so does not entitle you to any payment, credit, refund, or compensation.
To the maximum extent permitted by applicable law, you are not entitled to and waive any claim for reimbursement, compensation, refund of fees, damages, returns, or other monetary relief from Internetivo arising from these matters. This does not apply to your Credit balance, any Payouts owed to you, or amounts held in escrow for your tasks, which are handled under the Terms of Service and the Refund and Cancellation Policy. Nothing in this section excludes any liability that cannot be excluded under applicable law (including for death or personal injury caused by negligence, fraud, or gross negligence) or your mandatory rights as a consumer or data subject.
10. Contact
Internetivo Ltd Security and disclosure: a security ticket Legal: a legal ticket Website: https://internetivo.com/legal
Related documents: Terms of Service, Acceptable Use Policy.
This Policy is governed by the laws of the Republic of Cyprus and EU law where applicable.