Policy

Inka Entworks believes that it’s crucial to collaborate with security researchers all over the world to ensure the safety of our users. If you believe you have discovered a security breach.

Process to report an issue.

• E-mail your findings to security@inka.co.kr. Please share your contact information with your actual valid email address.
• Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible.
• Screenshots or video recordings explaining the process in any detail would be greatly helpful.

Responsible Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we will make every effort to resolve the issue as soon as we can.
• You are not supposed to disclose the vulnerability to the public or a third party.
• Work directly with our team on vulnerability submissions.
• Provide detailed description of a proof of concept to detail reproduction of vulnerabilities.
• Do not engage in disruptive or any action that could impact the confidentiality, integrity or availability of information and systems.
• Do not engage in social engineering or phishing of customers or employees.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 business days of submission)
• Make a code or configuration change based on the issue. 

Scope

• Any public-facing website owned, operated, or controlled by Inka Entworks, including web applications hosted.
• Any vulnerabilities that you came across any of our Product Platforms such as Pallycon and AppSealing .

Out of scope

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the ‘Scope’ section
• UI and UX bugs and spelling mistakes
• Resource Exhaustion Attacks
• Network level Denial of Service (DoS/DDoS) vulnerabilities
• Any client sites or services hosted by third party providers and services are excluded from scope.
• You do not exfiltrate any data under any circumstances
• You do not intentionally compromise the privacy or safety of  Inka Entworks personnel or any third parties
• You do not intentionally compromise the intellectual property or other commercial or financial interests of any Inka Entworks personnel or entities, or any third parties.
• Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.