1. Introduction

At Einix SA, security is fundamental to everything we build. We develop enterprise software for defense, energy, and critical infrastructure sectors where security failures can have serious consequences. We value the security research community and welcome responsible disclosure of vulnerabilities.

This policy describes how to report security vulnerabilities to us, what you can expect from us, and what we expect from you.

2. Reporting a Vulnerability

When reporting a vulnerability, please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• Affected product(s) and version(s)
• Any proof-of-concept code or screenshots
• Your assessment of the severity and potential impact
• Your contact information for follow-up

3. Our Commitment

We commit to:

• Acknowledging receipt of your report within 48 hours
• Providing an estimated timeline for resolution
• Keeping you informed of our progress
• Crediting you in any public disclosure (unless you prefer anonymity)
• Not pursuing legal action against researchers who follow this policy

4. Scope

Asset	Status
einix.fr website and subdomains	In Scope
Einix product software (with license)	In Scope
Open source projects (SHELLOG, DECISCOPE CLI)	In Scope
API endpoints documented in product documentation	In Scope
Third-party services and integrations	Out of Scope
Physical security testing	Out of Scope
Social engineering attacks	Out of Scope
Denial of Service attacks	Out of Scope

5. Qualifying Vulnerabilities

We are particularly interested in:

• Remote code execution vulnerabilities
• Authentication and authorization bypasses
• Cryptographic weaknesses
• Injection vulnerabilities (SQL, command, etc.)
• Cross-site scripting (XSS) and CSRF
• Sensitive data exposure
• Server-side request forgery (SSRF)
• Business logic flaws with security impact

Non-Qualifying Issues

The following typically do not qualify:

• Vulnerabilities requiring physical access
• Self-XSS (user attacking themselves)
• Missing security headers without demonstrable impact
• Clickjacking on pages without sensitive actions
• Rate limiting issues without security impact
• Outdated software versions without exploitable vulnerability

6. Researcher Guidelines

When conducting security research, please:

• Do not access, modify, or delete data belonging to other users
• Do not perform denial of service attacks
• Do not send unsolicited emails to users (phishing tests)
• Do not publicly disclose vulnerabilities before we've resolved them
• Do stop testing and report immediately if you access sensitive data
• Do use test accounts you create yourself when possible
• Do minimize the impact of your testing on our systems

7. Safe Harbor

Einix SA considers security research conducted in accordance with this policy to be:

• Authorized under applicable anti-hacking laws
• Authorized under applicable anti-circumvention laws
• Exempt from restrictions in our Terms of Service that would otherwise prohibit security research

We will not pursue civil or criminal action against researchers who follow this policy. If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted in compliance with this policy.

8. Recognition

We believe in recognizing the valuable contributions of security researchers. For qualifying vulnerabilities, we offer:

• Public acknowledgment (with your permission) in our security advisories
• A letter of appreciation for your professional portfolio
• Consideration for our Hall of Fame

Note: We do not currently offer monetary bounties, but we deeply value and appreciate responsible disclosure.

9. Contact

For security matters, please use our secure contact form or reach us at:

Email: security [at] einix [dot] fr
Response Time: Within 48 hours
Encryption: PGP key available at /.well-known/pgp-key.txt

Last updated: February 2026

Back to Home