Security
Vulnerability disclosure policy
If you believe you found a security vulnerability affecting Intaxion, email security@intaxion.com. Include the affected URL, a short description, reproduction steps, and any supporting screenshots or logs that do not contain taxpayer data.
Safe testing scope
Use only your own accounts, your own data, or explicit written test authorization. Do not access, modify, delete, or exfiltrate taxpayer data, customer records, credentials, secrets, or non-public system data.
Out of scope
Denial-of-service testing, social engineering, phishing, physical attacks, spam, automated high-volume scanning, and attempts to bypass rate limits are not authorized.
What to expect
We review valid reports and prioritize issues based on risk to taxpayer data, authentication, authorization, and platform integrity. No bounty program is offered. Public acknowledgment is optional and only issued after a report is validated and remediated.
Acknowledgments
Public credits, when available, are listed on the security acknowledgments page.