Skip to content
IQ AI
  • Platform
  • Case files
  • Model stack
  • Journal
Contact ↗

Policy / 02

Security Research Policy

We welcome careful reports that help protect users and systems. This policy defines the boundaries for responsible, authorized research and coordinated disclosure.

Effective
July 15, 2026
Report
contact@iqsecurity.ai
Authorization is required.

This page is not standing permission to test any system. Obtain explicit written authorization from IQ AI before testing, or follow the scope and rules of the applicable third-party security program.

1. Scope

Research is in scope only when the specific asset and testing activity are identified in written authorization from IQ AI. If an asset is not expressly listed, treat it as out of scope and ask before proceeding.

Third-party services, customer environments, vendors, social media accounts, physical locations, employees, and systems that IQ AI does not own are out of scope unless their owner has separately authorized the research. Security research conducted through another organization's bug bounty or vulnerability disclosure program is governed by that organization's scope and rules, not this policy.

2. Rules of engagement

For any research that IQ AI has authorized, you must:

  • stay within the approved assets, methods, dates, and rate limits;
  • use accounts and data you own or have permission to use;
  • collect only the minimum evidence needed to demonstrate impact;
  • stop testing and report promptly if you encounter personal data, secrets, unexpected access, or service instability;
  • avoid changing, downloading, retaining, or deleting data beyond what is strictly necessary for a minimal proof;
  • avoid persistence and remove any test artifacts you create; and
  • comply with applicable law and any additional written instructions.

3. Prohibited activity

Authorization never includes:

  • denial of service, load testing, or resource exhaustion;
  • social engineering, phishing, impersonation, or physical intrusion;
  • malware, ransomware, destructive testing, or persistent access;
  • credential stuffing, brute force, password spraying, or testing leaked credentials;
  • accessing another person's account, communications, or private data;
  • high-volume automated scanning or activity that degrades a service;
  • extortion, threats, or demands tied to disclosure; or
  • public disclosure of a suspected vulnerability before coordination is complete or written permission is provided.

4. How to report

Email contact@iqsecurity.ai with the subject "Security report". Include, when available:

  • the affected asset and a concise description of the issue;
  • the date, time, and time zone of testing;
  • clear reproduction steps and the expected security impact;
  • a minimal proof with sensitive values redacted; and
  • your preferred name and a reliable way to contact you.

Do not attach credentials, large datasets, or unnecessary personal information to the initial email. Tell us what sensitive material you hold, and we can coordinate an appropriate transfer method.

5. Our response

We will make a reasonable effort to acknowledge a complete report, assess it, and provide updates when appropriate. Response and remediation time varies with severity, complexity, and dependencies. Please allow us a reasonable opportunity to investigate and address the issue before any disclosure.

This policy does not promise payment, a bounty, public credit, or a CVE identifier. Any reward or recognition must be agreed in writing or offered under a separate program.

6. Coordinated disclosure

Keep report details confidential while we investigate. Propose any desired publication timeline in your report. Publication requires our written approval unless a separate program's rules expressly provide otherwise. If the issue affects a third party, we may coordinate with that party and limit the information shared to what is reasonably needed for remediation.

7. Good-faith research

IQ AI does not intend to pursue legal action for research that we explicitly authorized in writing and that is conducted in good faith within that authorization and this policy. If you accidentally exceed a boundary, stop immediately, avoid further access, and report what happened. We will consider prompt, transparent handling when reviewing the incident.

This statement applies only to IQ AI and cannot authorize activity on behalf of third parties, waive third-party rights, or prevent actions required by law. If you are uncertain whether an action is authorized, ask us before taking it.

8. Contact

Ask for authorization, clarify scope, or submit a report at contact@iqsecurity.ai.

Autonomous bug bounty and pentesting, built in Iraq.

PlatformPublic researchCase filesJournalContactX ↗

IQ AI supports authorized security research, coordinated disclosure, and ethical vulnerability reporting. Referenced company names do not imply endorsement or partnership.

Privacy policySecurity research policy

© 2026 IQ AI

contact@iqsecurity.ai

Baghdad, Iraq