Security & Vulnerability Disclosure
Last updated: July 6, 2026
MigraIQ handles sensitive personal data — including immigration documents, passport copies, and financial records. Security is not a checkbox for us; it is a core product requirement. We welcome responsible disclosure from security researchers and the broader community.
If you believe you have found a security vulnerability in any MigraIQ system, please report it to us. We commit to working with you in good faith and resolving confirmed issues promptly.
How to Report
Email security@migraiq.com with a clear description of the issue. Please include:
- The affected URL, endpoint, or component
- Steps to reproduce the vulnerability
- The potential impact you observed or inferred
- Any proof-of-concept code, screenshots, or request/response captures (if available)
You may encrypt your report using our PGP key — write to the address above first and we will share the key on request.
What to Expect
- Acknowledgement within 3 business days — we will confirm receipt of your report
- Initial assessment within 10 business days — we will triage the issue and communicate whether it is confirmed, duplicate, or out of scope
- Regular updates — we will keep you informed of remediation progress for confirmed issues
- Credit — with your permission, we will publicly acknowledge your contribution after the vulnerability is fixed
We do not currently operate a paid bug bounty programme. We may establish one in the future.
Scope
In scope
- migraiq.com — marketing site
- app.migraiq.com — authenticated application
- admin.migraiq.com — internal admin console
- All API endpoints under these domains
- Authentication and session management flows
- Document upload, storage, and retrieval
- Billing and payment flows
- Data exposure or access control issues
Out of scope
- Denial-of-service attacks (volumetric, application-layer, or resource exhaustion)
- Social engineering or phishing of MigraIQ staff or users
- Physical security of our infrastructure
- Attacks that require physical access to a user's device
- Vulnerabilities in third-party services (Clerk, Stripe, Supabase, Cloudflare) — report those directly to the relevant vendor
- Automated scanner findings without manual verification of impact
- Missing security headers on pages that do not handle sensitive data
- Rate-limit bypass on low-sensitivity public endpoints
- Self-XSS that requires the attacker to be the victim
- TLS configuration issues below a CVSS score of 5.0
Safe Harbour
We consider good-faith security research conducted under this policy to be authorised. We will not initiate or recommend legal action against researchers who:
- Notify us promptly and provide adequate detail to reproduce and verify the issue
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access, modify, or delete user data beyond minimal proof of access
- Do not degrade the availability of our services
- Do not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it (coordinated disclosure)
This safe harbour applies only to activities described in this policy and does not extend to other laws or jurisdictions that may apply to your actions.
Coordinated Disclosure
We ask that you give us at least 90 days from initial report to remediate a confirmed vulnerability before public disclosure. If you believe the issue poses an immediate risk to users, contact us and we will work to expedite resolution.
Contact
Security reports: security@migraiq.com
This policy is also referenced in our security.txt file.