How to report
- Email: security@irsa-us.org
- Include affected URL(s), reproducible steps, impact assessment, and optional remediation suggestions.
- Avoid submitting sensitive personal data unless strictly necessary for reproduction.
Disclosure expectations
- Do not publicly disclose vulnerabilities before ISA-Alliance has had a reasonable time to investigate and patch.
- Do not attempt destructive testing, service interruption, or unauthorized data access.
- Good-faith researchers acting responsibly are welcomed and appreciated.
Machine-readable policy
Automated systems should use the RFC-compliant policy file at /.well-known/security.txt.