Responsible Disclosure

Security Policy

ISG FZ LLC takes the security of our systems, data, and client information seriously. If you believe you have identified a vulnerability in our infrastructure, websites, or services, we want to hear from you.

Reports security@isg.green
Acknowledgement SLA 5 business days
Pre-disclosure window 90 days minimum
Preferred language English

01How to report a vulnerability

Please email security@isg.green and include:

  • A clear description of the issue
  • Steps to reproduce, where applicable
  • Any proof-of-concept — keep it minimal, do not exfiltrate data
  • Your preferred name for acknowledgement, or a note if you would like to remain anonymous

We will acknowledge your report within 5 business days and provide status updates as we investigate.

02Scope

In scope

  • Any subdomain of isg.green
  • Any subdomain of isg-fzllc.com
  • Email infrastructure hosted under ISG domains (via Migadu)
  • Any public web property operated directly by ISG FZ LLC

Out of scope — report to the third party

  • Microsoft 365, Office 365, Migadu, Cloudflare, banking portals, or any SaaS we use but do not operate
  • Vulnerabilities in client-owned portals we access but do not operate
  • Physical security of ISG offices
  • Social engineering of ISG staff, clients, or partners
  • Third-party dependency CVEs without a demonstrated path to exploit on our environment

03What we ask from researchers

  • Act in good faith and avoid accessing, modifying, or destroying data that is not your own
  • Do not run denial-of-service, load, rate-limit-exhaustion, or resource-exhaustion tests against us
  • Do not use automated vulnerability scanners at volume
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate
  • Give us at least 90 days before public disclosure, unless we agree otherwise

04Safe harbor

Our commitment to researchers acting in good faith

If you act in good faith and within the scope of this policy, ISG FZ LLC will:

  • Not pursue legal or administrative action against you for your research activities
  • Not report your research activity to law enforcement
  • Work with you to understand the issue
  • Credit you publicly on our Acknowledgements page once the issue is remediated, unless you prefer to remain anonymous

05What we cannot accept as findings

  • Missing HTTP security headers without a demonstrated exploit
  • Email spoofing reports against domains protected by our DMARC p=reject policy
  • Findings that rely on social engineering, phishing, or physical access
  • Issues in third-party services we do not operate
  • Duplicate reports — first reporter receives acknowledgement

06Contact & updates

Direct all disclosures to security@isg.green. Our preferred language is English. This policy is reviewed at least annually.

The machine-readable version of this policy is published at /.well-known/security.txt in accordance with RFC 9116.

Document Security Policy
Version 1.0
Last updated 22 April 2026
Next review April 2027
Download Free Guide