Security Policy
Responsible disclosure.
If you've found a security issue in anything Remilink operates, this website, client-facing systems we host, or deliverables we've shipped , we want to hear about it. Straight to an architect, with acknowledgement within one business day.
In scope
- remilink.com and its subdomains we operate.
- Client-facing systems we host as part of an active engagement (coordinate via the engagement architect first).
- Artifacts we've delivered where we retain a live operational role.
Out of scope
- Client systems we no longer operate or that predate our involvement.
- Reports generated solely by automated scanners without a demonstrated impact.
- Social-engineering or physical-security tests against staff or offices.
- Denial-of-service or resource-exhaustion testing.
What to expect
- Acknowledgement within one business day.
- Initial severity triage and remediation plan within five business days.
- Public credit in our disclosure log on request (name + link of your choosing), unless you prefer to remain anonymous.
- No legal action against research conducted in good faith within the scope above.
How to report
- Describe the issue: steps to reproduce, expected vs. actual behaviour, and the system or URL affected.
- Attach proofs (request/response pairs, screenshots, or a video), no customer data, redacted where possible.
- Tell us the severity you believe applies and why.
- Send to [email protected].