Meet CybrIQ at InfoComm 2026 · Booth C5052 · June 13–19 · Las Vegas · Pre-book a working session →
CybrIQ
Security · Vulnerability Disclosure

Coordinated-disclosure policy.

CybrIQ runs a coordinated-disclosure program for security researchers. Reports are read by a human within one business day, triaged within three, and remediated under a defined coordinated-disclosure timeline. Acknowledgments below.

How to report

Send vulnerability reports to security@cybriq.io. Use PGP encryption if the finding is sensitive (PGP key fingerprint shared on request). The security.txt file at /.well-known/security.txt documents this canonically.

A useful report includes: a short description of the issue, steps to reproduce, the affected component or endpoint, and a proof-of-concept or repro environment if applicable. Researchers do not need to provide CVE-style severity ratings — we will assess severity using the standard CVSS 3.1 calculator and share our scoring back.

Scope

In scope:

  • The CybrIQ platform itself (RoomIQ, SpacesIQ, the management plane, and the underlying APIs).
  • The cybriq.io website and any public CybrIQ-operated subdomains.
  • The CybrIQ-operated SaaS control plane infrastructure.

Out of scope:

  • Third-party services and infrastructure CybrIQ relies on (these go to the upstream provider's program).
  • Customer-managed CybrIQ deployments hosted by the customer (those follow the customer's own program).
  • Findings that require physical access to CybrIQ-employee endpoints, social-engineering CybrIQ staff, or denial-of-service of production systems.

Coordinated-disclosure timeline

  • Day 1 (acknowledgment): human response confirming receipt and assigning a tracking ID.
  • Day 3 (triage): initial severity assessment shared with the reporter.
  • Day 30 (status): remediation status update, including expected fix-deployment window.
  • Day 90 (default disclosure): coordinated public disclosure unless the fix has been deployed and confirmed earlier, or unless an extension is mutually agreed for high-impact findings.

Safe harbor

CybrIQ commits to good-faith handling of vulnerability reports. Researchers who follow this policy in good faith — making reasonable effort to avoid privacy violations, destruction of data, or interruption of service — are operating within authorized scope. CybrIQ will not initiate legal action against researchers acting in good faith and within this policy.

Bounty

CybrIQ pays bounties for confirmed valid findings. The bounty schedule is shared with the reporter at the triage stage and scales with severity (low / medium / high / critical CVSS). Payment is made on confirmed remediation, not on initial report.

For research that fundamentally improves the platform's security posture (architecture-level findings, novel attack chains), CybrIQ will fund follow-on engagement with the researcher under separate terms.

Acknowledgments

Researchers who have reported confirmed valid findings under this policy are listed below, with their permission. Newest first.

No public acknowledgments yet. The program runs continuously; this list updates as researchers report and the team coordinates disclosure.

Customer-environment findings

If you are a CybrIQ customer who believes a misconfiguration in your own deployment has resulted in a security finding, contact your SupportIQ on-call rotation rather than this address. The on-call team can reproduce against your environment quickly; this address is for findings against the platform itself.

Found something? Email security@cybriq.io.

Human response within one business day. Coordinated handling, predictable timeline.

Email security@cybriq.io Read the Trust Page
Patented Device DNA™ SOC 2 Type II aligned NDAA 889 aligned Engineered for the AV channel InfoComm 2026 · Booth C5052