Responsible Disclosure Policy

3D Tesla LLC ("3D Tesla," "we," "us"), operating as LicenseIQ, is committed to the security of our platform, our users, and their data. We recognize the valuable role that independent security researchers play in maintaining the security of internet-connected systems.

This Responsible Disclosure Policy outlines how security researchers can report vulnerabilities to us in a safe, legal, and coordinated manner. We encourage the security community to help us identify and remediate security issues in the LicenseIQ platform.

This policy applies to security vulnerabilities discovered in the following assets owned and operated by 3D Tesla LLC:

• Web application: https://licenseiq.app and all subdomains
• API endpoints: All /api/* routes served by the LicenseIQ application
• Authentication flows: Onboarding, beta registration, and login processes
• Client-side code: JavaScript, PDF generation, and browser-based functionality

Out of scope:

• Third-party services we use (Microsoft Azure, Microsoft Entra ID, Microsoft Graph API, Stripe, Azure Communication Services) — report issues to those vendors directly.
• Denial-of-Service (DoS/DDoS) attacks.
• Social engineering attacks against LicenseIQ employees or users.
• Physical security of our infrastructure.
• Automated vulnerability scanning that generates excessive traffic or degrades service availability.
• Issues in third-party libraries that do not have a demonstrable impact on LicenseIQ.

If you believe you have discovered a security vulnerability in LicenseIQ, please report it to us by email:

Your report should include:

• A clear description of the vulnerability, including the type of issue (e.g., XSS, injection, authentication bypass, data exposure).
• Step-by-step instructions to reproduce the vulnerability.
• The URL(s), API endpoint(s), or component(s) affected.
• The potential impact of the vulnerability if exploited.
• Any proof-of-concept code, screenshots, or HTTP request/response captures.
• Your recommended remediation, if any.
• Your name or alias (for acknowledgment purposes, optional).

Please encrypt sensitive reports using our PGP key if available. Contact security@licenseiq.app to request our public key.

To ensure a safe and productive disclosure process, we ask that you:

• Act in good faith. Research should be conducted to improve security, not to cause harm, access unauthorized data, or disrupt services.
• Do not access, modify, or delete user data. If you accidentally access user data during your research, stop immediately, do not save or share the data, and include this information in your report.
• Do not exploit the vulnerability beyond what is strictly necessary to demonstrate its existence and impact.
• Do not perform automated scanning at a volume that could degrade service availability for other users.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it (see Section 6 — Disclosure Timeline).
• Use test accounts only. Do not test against accounts belonging to other users. If you need a test account, contact us and we will provide one.
• Do not attempt to access M365 tenant data belonging to other LicenseIQ customers.
• Comply with all applicable laws in your jurisdiction and ours (State of Florida, United States).

When you report a vulnerability in accordance with this policy, we commit to:

• Acknowledgment: We will acknowledge receipt of your report within 3 business days.
• Assessment: We will investigate and validate the reported vulnerability within 10 business days of acknowledgment.
• Communication: We will keep you informed of the progress of our investigation and provide an estimated timeline for remediation.
• Remediation: We will work to remediate confirmed vulnerabilities within a timeframe proportional to their severity:
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 60 days
• No legal action: We will not pursue legal action against researchers who act in good faith and in compliance with this policy.
• Recognition: With your permission, we will publicly acknowledge your contribution on our Security Acknowledgments page (see Section 8).

We follow a coordinated disclosure model:

• Day 0: Vulnerability report received. Acknowledgment sent within 3 business days.
• Day 1–10: Investigation and validation. Severity classification assigned.
• Day 10–90: Remediation period. We will work to fix the vulnerability within the timeframes specified in Section 5.
• Day 90 (maximum): If we have not remediated the vulnerability within 90 days, you may publicly disclose it. We ask that you notify us at least 7 days before public disclosure so we can prepare a communication for affected users.

We may request a reasonable extension of the 90-day timeline for complex issues. Extensions will be mutually agreed upon.

We classify vulnerabilities using the following severity levels, aligned with the CVSS (Common Vulnerability Scoring System) framework:

We appreciate the efforts of security researchers who help keep LicenseIQ and our users safe. With your permission, we will:

• Publicly acknowledge your contribution on this page (name or alias of your choice).
• Provide a letter of acknowledgment that you may use for professional purposes.

Note on bounties: LicenseIQ does not currently operate a paid bug bounty program. However, we deeply value your contributions and will provide recognition as described above. We may introduce a formal bounty program in the future.

We consider security research conducted in accordance with this policy to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA) and similar state laws, to the extent that the research is consistent with this policy.
• Exempt from the Digital Millennium Copyright Act (DMCA) §1201, to the extent that circumvention of technological measures is necessary for and limited to good-faith security research.
• Lawful and conducted in the public interest, and we will not initiate or support legal action against you for activities conducted in compliance with this policy.

If a third party initiates legal action against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were authorized under this policy.

This safe harbor applies only if you comply with the guidelines in Section 4 and act in good faith throughout the process.

For transparency, the following is a summary of the security measures currently implemented in the LicenseIQ platform:

• Encryption: TLS 1.2+ for all data in transit; AES-256 encryption at rest via Azure Storage Service Encryption.
• Authentication: Delegated to Microsoft Entra External ID (CIAM). We do not store user passwords.
• Authorization: Role-based access control (Admin, User) with policy-based endpoint protection.
• API security: Read-only Microsoft Graph API permissions. Customer App Registration credentials stored with encryption at rest.
• Input validation: Server-side validation on all endpoints. Parameterized queries for Azure Table Storage.
• XSS prevention: Server-side JSON serialization for all JavaScript-embedded data. No use of innerHTML with unsanitized user input.
• Rate limiting: IP-based rate limiting on all anonymous/public endpoints (3–10 requests per minute).
• Bot protection: Honeypot fields on all public forms.
• Data isolation: Per-user logical data isolation by Entra Object ID.
• Payment security: PCI DSS compliance delegated to Stripe. We do not handle or store payment card data.
• Email blacklist: System-level email blocking for abusive accounts.

The following types of reports are generally not considered valid vulnerability reports under this policy:

• Vulnerabilities in third-party services or libraries without a demonstrated, exploitable impact on LicenseIQ.
• Issues related to browser extensions or modifications.
• Reports from automated scanners without manual verification and proof of exploitability.
• Missing security headers that do not lead to a demonstrated vulnerability (e.g., missing X-Frame-Options where clickjacking is not feasible).
• Rate limiting or brute-force issues on endpoints that are already rate-limited.
• Email configuration issues (SPF, DKIM, DMARC) unless they can be exploited to impersonate LicenseIQ.
• Reports of vulnerabilities in non-current (outdated) versions of the application.
• Theoretical vulnerabilities without evidence of practical exploitability.

We may update this Responsible Disclosure Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage researchers to review this policy periodically.

For security vulnerability reports and questions about this policy:

Thank you for helping keep LicenseIQ and our users safe.