Skip to main content

Security & Vulnerability Disclosure

Last updated: March 21, 2026

At Ionhour, we take the security of our platform and your data seriously. This page outlines our security practices and provides guidelines for reporting security vulnerabilities responsibly.

1. Our Security Practices

  • All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption
  • Authentication is managed through a self-hosted Keycloak instance with industry-standard password hashing
  • Role-based access control (RBAC) is enforced throughout the platform, with need-to-know access to production systems
  • Infrastructure is hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and ISO 27017 certifications
  • We conduct periodic security reviews and penetration testing of our platform
  • Multi-tenant workspace isolation is enforced through tenant-scoped database queries
  • Automated monitoring and alerting systems detect and respond to anomalous activity

2. Responsible Disclosure Policy

How to Report

If you discover a security vulnerability in the Ionhour platform, please report it responsibly by emailing [email protected]. Please include the following in your report:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact or severity of the vulnerability
  • Any supporting evidence such as screenshots, logs, or proof-of-concept code

A PGP key is available upon request for encrypted communications.

What We Commit To

  • Acknowledge receipt of your report within 48 hours
  • Provide an initial assessment of the vulnerability within 5 business days
  • Keep you informed of the progress toward resolution
  • Credit you publicly for the discovery (with your permission)
  • Not pursue legal action against researchers who act in good faith and comply with this policy

What We Ask

  • Allow a minimum of 90 days before publicly disclosing the vulnerability
  • Do not access or modify other users’ data during your research
  • Do not degrade the performance or availability of the Service
  • Do not engage in social engineering, phishing, or physical attacks against Ionhour employees or users
  • Do not exploit a vulnerability beyond what is necessary to demonstrate proof-of-concept

3. Scope

The following assets are in scope for security research:

  • app.ionhour.com
  • api.ionhour.com
  • ionhour.com

The following are out of scope:

  • Third-party services and integrations
  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering attacks
  • Physical attacks against Ionhour facilities
  • Attacks targeting Ionhour employees or users

4. Safe Harbour

Ionhour will not pursue civil or criminal action against security researchers who:

  • Act in good faith and in accordance with this disclosure policy
  • Avoid privacy violations and destruction of data
  • Do not cause service interruption or degradation
  • Report vulnerabilities promptly upon discovery
  • Do not publicly disclose the vulnerability before it has been resolved

5. Contact