Last Updated: 07/08/2026
Summary
Impact Laboratories and My Green Lab are committed to protecting the security and privacy of our systems and users.
This policy provides a channel for responsible reporting of legitimate security vulnerabilities affecting our in-scope systems.
This is not a bug bounty program. We do not provide compensation, rewards, certificates, public recognition, or other consideration for unsolicited vulnerability reports.
Scope
This policy applies only to internet-facing systems directly owned and operated by Impact Laboratories / My Green Lab, including designated production web applications and APIs.
Out of scope:
- social engineering
- phishing
- physical security testing
- denial of service or load testing
- spam
- credential stuffing
- automated high-volume scanning
- brute force testing
- attacks against third-party systems or vendors
- testing that accesses, modifies, or destroys data belonging to others
Submission Requirements
Reports should include:
- affected URL, application, or system
- clear reproduction steps
- description of demonstrated security impact
- sufficient detail for validation
Reports may be closed without action if they consist solely of:
- automated scanner output
- theoretical findings without demonstrated exploitability
- informational or low-risk observations
- duplicate submissions
- best-practice recommendations
Examples may include:
- missing security headers
- cookie configuration observations without material exploitability
- SPF / DKIM / DMARC recommendations
- version disclosures
- TLS configuration preferences
- clickjacking claims without demonstrated impact
Submit reports to:
security@mygreenlab.org
Authorized Conduct/Safe Harbor
If you comply with this policy, we will not pursue legal action solely for good-faith security research within the authorized scope of this policy.
Authorized activity does not include:
- service disruption
- automated scanning that creates operational burden
- accessing data beyond your own authorization
- persistence, privilege escalation, or lateral movement
- attempts to exfiltrate data
- attacks against personnel, vendors, or customers
Review Process
We review submissions at our discretion based on severity, impact, reproducibility, and operational relevance.
Submission does not create any obligation to respond, remediate, provide status updates, or correspond further.
Coordinated Disclosure
We request coordinated disclosure and ask that researchers refrain from public disclosure until we have had a reasonable opportunity to assess reported issues.