Security & Responsible Disclosure
We take the security of IntelliCoach Courses seriously. If you believe you have found a security vulnerability in any of our systems, we appreciate your help in disclosing it to us responsibly.
Scope
This policy covers the intellicoachcourses.com domain and its subdomains, the Next.js application and its API endpoints, the Listmonk newsletter system, and any associated infrastructure operated by IntelliCoach Pte Ltd. Third-party services we integrate with (Whop, Stalwart, Cloudflare) have their own disclosure programs.
How to Report
Please email details of any suspected vulnerability to our dedicated security address. Include a clear description, reproduction steps, and any proof-of-concept you can share safely. If you need to share sensitive data, mention it in your first message and we will arrange an encrypted channel.
security@intellicoachcourses.comOur Response SLA
We aim to acknowledge every good-faith report within 48 hours of receipt. We will keep you informed of our remediation progress, coordinate on disclosure timing, and credit you publicly once a fix has shipped unless you prefer to remain anonymous.
Safe Harbor
We will not pursue legal action against security researchers who act in good faith, respect user privacy, avoid data destruction, and do not exploit any vulnerability beyond what is necessary to demonstrate the issue. This policy is your authorization to research within the scope defined above.
Out of Scope
- Denial-of-service or load testing of production systems.
- Social engineering of IntelliCoach staff, contractors, or customers.
- Physical attacks against offices, infrastructure, or personnel.
This policy is referenced from our /.well-known/security.txt file per RFC 9116.