Responsible Disclosure Policy

Effective date: 1 February 2026

At NorthStarIQ Partners, we want security researchers to feel comfortable reporting vulnerabilities responsibly — so issues get fixed before they become incidents. Our approach is aligned with widely used coordinated vulnerability disclosure practices.

1) What this policy covers

This policy applies to security vulnerabilities you discover in:

  • Our public website(s) under northstariq-partners.co.za

  • Any web apps, portals, or pages we operate under the same domain

  • Any other NorthStarIQ-owned internet-facing assets we explicitly list as “in scope” on this page (if we add more later)

If you’re unsure whether something is in scope, report it anyway — we’ll guide you.

2) Good-faith rules of engagement

If you choose to test, we ask you to keep it safe and clean:

Do

  • Test in a way that avoids harming users, data, or availability

  • Use the minimum amount of access and data needed to prove the issue

  • Stop once you have a clear proof-of-concept

  • Report promptly and keep details confidential until we fix it

Don’t

  • Use social engineering (phishing, vishing), physical access attempts, or threats

  • Run denial-of-service / stress testing (including request floods)

  • Exfiltrate, alter, or delete data (including customer/client data)

  • Access accounts or data that aren’t yours

  • Introduce malware, backdoors, or persistence

  • Publicly disclose before coordinated timelines are agreed

These rules matter — South Africa’s Cybercrimes Act criminalises unlawful/unauthorised access and related conduct, so we need testing to remain strictly “good-faith and minimal impact.”

3) Safe harbor (our commitment)

If you make a good-faith effort to follow this policy, we will:

  • treat your testing as authorised for the limited purpose of security research on in-scope assets, and

  • not initiate legal action against you for that research.

This commitment is based on standard safe-harbor patterns used in vulnerability disclosure policies.

Important: Safe harbor doesn’t apply if you:

  • act outside scope,

  • cause harm, disruption, or data loss,

  • use coercion/extortion, or

  • sell/share exploit details before we’ve had a fair chance to remediate.

4) How to report a vulnerability

Email: privacy@northstariq-partners.co.za
Subject line: Responsible Disclosure – [short issue name]

Please include (as much as you can):

  • A clear description of the issue and where you found it (URL/endpoint)

  • Steps to reproduce (or a minimal proof-of-concept)

  • What you believe the impact is (confidentiality/integrity/availability)

  • Any supporting screenshots/logs

  • Your preferred contact details and how you’d like to be credited (optional)

If encryption is important for your report, tell us and we’ll arrange a secure channel.

5) What happens after you report

We aim to follow a structured vulnerability-handling process consistent with common standards.

Our typical workflow:

  1. Acknowledge receipt (usually within a few business days)

  2. Triage (confirm, classify severity, identify affected components)

  3. Remediate (fix and test)

  4. Close out (confirm resolution, optionally coordinate disclosure/credit)

We’ll keep you updated at reasonable intervals, especially for higher severity issues.

6) Coordinated disclosure

Please don’t publish the vulnerability details until we’ve had a reasonable chance to fix it.

If you want to publish (e.g., a blog post), we’re open to coordinated disclosure:

  • we’ll agree a timeline together, and

  • we’ll align on what can be shared safely (so we reduce risk, not increase it).

This is consistent with coordinated vulnerability disclosure norms.

7) Rewards / bug bounty

At this time, we do not run a paid bug bounty program unless explicitly stated on this page.

However, we’re happy to:

  • provide public credit (with your permission), and

  • build a positive relationship with researchers who report responsibly. 

8) Out of scope (examples)

We generally consider the following out of scope unless there’s clear impact:

  • Self-XSS, clickjacking on pages without sensitive actions

  • Missing security headers with no practical exploit path

  • “Version disclosure” findings without exploitability

  • Reports based only on automated scanner output with no demonstrated risk

If you’re unsure, submit it — we’d rather triage than miss something real.

9) Legal note

This policy does not give blanket permission to access systems. It’s a framework for good-faith, minimal-impact security research and coordinated reporting. Unauthorised access and harmful activity can still be offences under applicable law, including the Cybercrimes Act.

10) Thank you

If you report issues responsibly, you’re helping us keep our systems — and our clients — safer. We take that seriously.