Vulnerability Disclosure Program

Effective Date: March 19, 2026

1. Eligibility

1.1 Eligible Participants

To participate in this Program, you must:

• Be at least 18 years old (or have parental consent if considered a minor in your jurisdiction)
• Participate individually, or have authorization from your organization
• Not be a resident of a country subject to international trade sanctions
• Not be a current or former IncoreSoft employee (within the past 6 months) or an immediate family member of such an employee

1.2 Ineligible Participants

The following individuals are not eligible to participate:

• Government and education employees without prior ethics or compliance approval from their organization
• Individuals employed by or contracted with IncoreSoft within the 6 months prior to submission
• Individuals in external contractor roles that require access to IncoreSoft's corporate network or internal systems
• Individuals involved in the administration of this Program

2. Scope

2.1 Eligible Targets

The following domains and products are approved for security testing:

• *.incoresoft.com
• IncoreSoft AI video analytics software products (desktop clients, plugins, and integrations)

2.2 Out-of-Scope Vulnerabilities

The following are generally considered out of scope:

• Missing security headers that do not lead to a direct vulnerability (e.g., X-Frame-Options, Content-Security-Policy)
• Missing email security configurations (DMARC, DKIM, SPF, DNSSEC) unless they lead to a demonstrable exploit
• Denial of Service (DoS/DDoS) attacks
• Social engineering or phishing attacks against IncoreSoft employees or users
• Physical attacks against IncoreSoft offices or data centers
• Vulnerabilities in third-party software or services not developed by IncoreSoft
• Reports from automated vulnerability scanners without a demonstrated proof-of-concept
• Clickjacking on pages with no sensitive actions
• Self-XSS (where the user can only attack themselves)

3. Submission Process

Security researchers should report vulnerabilities by email to: security@incoresoft.com

Use the subject line: "Finding for Vulnerability Disclosure Program"

Your report should include:

• Issue type — classification of the vulnerability (e.g., XSS, SQL Injection, IDOR, RCE)
• Affected URL or product — the specific location or component where the vulnerability exists
• Reproduction steps — clear, detailed steps to reproduce the issue
• Proof-of-concept — code, screenshots, or video demonstrating the vulnerability
• Impact assessment — your analysis of the potential impact and severity
• Your contact information — so we can follow up and coordinate

Please do not include sensitive data (such as passwords, personal information of others, or production data) in your report.

4. Coordinated Vulnerability Disclosure (CVD)

• We request at least 90 days from the date of report to assess, triage, and remediate the vulnerability before any public disclosure.
• We will work with the researcher throughout the investigation and remediation process.
• Early disclosure may occur only if active exploitation is detected before an update is released.
• We will coordinate with the researcher on the timing and content of any public disclosure.
• We will credit the researcher in any public disclosure or advisory, unless the researcher opts out.

5. Submission License

By submitting a vulnerability report, you grant IncoreSoft a non-exclusive, perpetual, worldwide, royalty-free license to use, test, modify, and incorporate the submission. You represent and warrant that:

• The submission is your original work
• You have the right to grant the license described above
• The submission does not infringe on any third-party rights

6. Confidentiality

Detailed exploit code, technical specifics, and reproduction steps must remain confidential for at least 30 days after the vulnerability is fixed and a patch or update has been released. Premature disclosure may result in disqualification from the Program and potential legal action.

You may not disclose any vulnerability to third parties without IncoreSoft's prior written consent during the remediation period.

7. Code of Conduct

When participating in this Program, you must not:

• Engage in any illegal activity, including unauthorized access, data destruction, or denial-of-service attacks
• Access, modify, delete, or exfiltrate data belonging to other users or customers
• Use social engineering, phishing, or pretexting against IncoreSoft employees, contractors, or users
• Transmit malware, ransomware, or other malicious software
• Exploit a vulnerability beyond the minimum necessary to demonstrate its existence
• Test in a manner that degrades the performance or availability of our services
• Engage in any activity that violates privacy laws or regulations
• Engage in spam, harassment, or distribution of misleading content

Researchers must comply with all applicable laws and regulations while participating in this Program.

8. Safe Harbor

• Authorized — IncoreSoft will not initiate legal action for accidental, good-faith violations
• Exempt from CFAA (Computer Fraud and Abuse Act) claims to the extent the research complies with this Program
• Exempt from DMCA (Digital Millennium Copyright Act) claims related to circumvention of technology controls

If legal action is initiated by a third party against you for activities conducted in accordance with this Program, we will make reasonable efforts to make it known that your actions were conducted in compliance with this Program.

9. Disclaimers

INCORESOFT PROVIDES NO WARRANTIES, EXPRESS OR IMPLIED, REGARDING PARTICIPATION IN THIS PROGRAM. PARTICIPATION IS ENTIRELY VOLUNTARY AND AT YOUR OWN RISK. INCORESOFT SHALL NOT BE LIABLE FOR ANY DAMAGES ARISING FROM YOUR PARTICIPATION IN THIS PROGRAM.

This Program does not constitute an employment or contractor relationship between you and IncoreSoft.

10. Recognition

Researchers who report valid vulnerabilities in accordance with this Program may be publicly recognized on our website or security advisories, unless they explicitly opt out. We respect your preference for anonymity.

11. Contact

Email:security@incoresoft.com

Privacy inquiries:privacy@incoresoft.com