IPRoyal Vulnerability Disclosure Policy
Introduction
IPRoyal takes the security of our systems seriously. We understand that no technology is perfect, and we value the security community’s efforts in helping us maintain a safe environment for our users. This Policy establishes a framework for security researchers who wish to report potential vulnerabilities in our systems. Participation in this program is voluntary. By submitting a report, you confirm your acceptance of these terms.
What We Want You to Test
Authorized Targets:
The following assets are authorized for security testing:
| Asset | Description |
|---|---|
| iproyal.com | Primary website |
| dashboard.iproyal.com | Customer portal |
| api.iproyal.com | API endpoints |
| apid.iproyal.com | API endpoints |
| resi-api.iproyal.com | API endpoints |
| data-api.iproyal.com | API endpoints |
Not Authorized:
Everything else falls outside this Policy. This includes internal systems, corporate infrastructure, employee devices, and any third-party services we integrate with. If you discover a vulnerability in a third-party component, please report it to that vendor directly.
Interested in testing something not listed? Reach out to us first at [email protected] .
Vulnerabilities We’re Not Looking For
To help focus efforts on meaningful findings, the following are generally not eligible under this Policy:
Infrastructure & Configuration:
- DoS/DDoS attacks at network or application level
- SSL/TLS version or cipher suite concerns
- Missing security headers without demonstrated exploitation
- Server or software version disclosure
- DNS configuration issues
- Email security settings (SPF, DKIM, DMARC) without demonstrated abuse
Authentication & Session:
- Account lockout or rate limiting observations
- Username enumeration through authentication flows
- Password policy suggestions
- Session handling during credential changes (without demonstrated account takeover)
- Missing email verification steps
Low-Impact Findings:
- CSRF on logout or unauthenticated forms
- Self-XSS requiring victim interaction with their own session
- Clickjacking on pages with no sensitive actions
- Autocomplete enabled on forms
- Known CVEs in libraries without a working proof of concept against our implementation
- Output of automated scanners without validation
- Theoretical attacks requiring unlikely user behavior or physical device access
- Content found in robots.txt, sitemap.xml, or similar public files
Rules of Engagement
We Ask That You:
- Report vulnerabilities promptly — don’t sit on findings
- Use only test accounts you create or control
- Limit your testing to what’s necessary to demonstrate the issue
- Remove any IPRoyal user data you encounter immediately
- Keep all findings confidential until we’ve resolved them
- Respect our users — never access, modify, or exfiltrate their data
Please Don’t:
- Run automated scanners or fuzzers without prior approval
- Exceed reasonable request volumes (keep it under 6 requests/second)
- Attempt social engineering against our staff
- Perform physical security tests
- Disrupt our services or degrade user experience
- Demand payment as a condition of disclosure
- Share vulnerability details with anyone other than IPRoyal until resolved
How to Report
Send your findings to: [email protected]
Anonymous submissions are accepted.
A Strong Report Includes:
- Summary — What did you find and why does it matter?
- Technical Details — Affected endpoints, parameters, or components
- Reproduction Steps — Clear instructions we can follow to verify the issue
- Evidence — Screenshots, HTTP request/response pairs, video walkthrough
- Your Testing Context — IP addresses used, test account details, timestamps
- Impact Assessment — What could an attacker realistically achieve?
The more complete your report, the faster we can act on it.
What Happens Next
| Stage | Timeframe | What We Do |
|---|---|---|
| Acknowledgment | Within 5 business days | Confirm we received your report |
| Triage | Varies by complexity | Assess validity and severity |
| Remediation | Depends on finding | Develop and deploy a fix |
| Closure | After fix is verified | Notify you and discuss disclosure |
We’ll keep you updated throughout this process, and we welcome dialogue if you have questions or additional context to share.
Coordinated Disclosure
We request that you allow us 90 days from your initial report before any disclosure. Complex issues may require additional time. We’re committed to working with you on an appropriate disclosure timeline and will coordinate with you before making any public statements about the vulnerability.
Legal Safe Harbor
When you conduct research in good faith and in accordance with this Policy:
- We will not pursue legal action against you under computer fraud laws
- We will not file claims against you for circumventing security measures
- We consider your testing authorized and exempt from our Terms of Service restrictions
Should any third party take legal action against you for research conducted under this Policy, we will make reasonable efforts to clarify that your activities were authorized.
This safe harbor is contingent on your compliance with this Policy and all applicable laws.
Rewards
We may, at our sole discretion, offer recognition or compensation for qualifying vulnerability reports. There is no guaranteed reward, and any decision regarding rewards will be made after our internal review is complete.
Our assessment considers factors such as:
- Technical severity and real-world exploitability
- Clarity and quality of the report
- Potential business and user impact
- Whether the vulnerability was previously known
We will communicate any reward decision directly to you following the conclusion of our triage process.
Contact
Security Team : [email protected]
Questions about scope, eligibility, or this Policy? Reach out before you start testing — we’re happy to clarify.