We take security seriously at Integrated Web Solutions Australia (IWSA Studio). If you believe you’ve found a vulnerability, please let us know so we can fix it quickly. We welcome reports from researchers, customers, and the wider security community.

Scope

This policy covers public websites and services operated by IWSA Studio under the iwsa.com.au domain, unless a system is specifically excluded below. If you’re unsure whether something is in scope, ask us before testing.

In scope (examples)

• Authentication, authorisation, access-control issues
• Injection (XSS, SQLi, command injection), SSRF, deserialisation
• Sensitive data exposure and misconfigurations
• Broken or missing security headers with meaningful impact
• API issues (IDOR, rate-limit bypass, privilege escalation)

Out of scope

• Denial of Service (DoS), load/stress testing
• Spam, social engineering, phishing, or physical security
• Clickjacking on non-sensitive pages; missing SPF/DMARC only
• Use of leaked credentials not obtained through our systems
• Vulnerabilities in third-party platforms we do not control

How to report

• Email: nat@iwsa.com.au
• Include a clear description, steps to reproduce, affected URLs/endpoints, and a proof-of-concept if possible.
• Do not access, modify, or exfiltrate customer data. Use test accounts only.
• Keep your testing within what’s necessary to demonstrate impact.

Our commitment & timelines

• Acknowledge your report within 3 business days.
• Triage and provide an initial decision within 10 business days.
• Remediate based on severity and complexity. We’ll keep you updated.
• Coordinate disclosure with you; typical windows are 30–90 days.

Safe harbour

If you act in good faith, follow this policy, and avoid harming users or data, we will not pursue or support legal action against you for your research. This safe harbour does not apply to actions that break the law, cause disruption, or involve unauthorised access to personal data.

Recognition

We don’t run a paid bug bounty. However, we offer public credit on our Security Acknowledgements page for valid, previously unknown issues reported responsibly. Please tell us how you’d like to be credited.

Privacy & data handling

Don’t intentionally access or store personal information. If you encounter data accidentally, stop testing, do not save copies and report the finding immediately. We’ll work with you to remediate safely.

Third-party systems

If a vulnerability affects a third-party service or hosting provider, we may pass details to them and assist coordination. Recognition may be shared or deferred to their process.

Coordinated disclosure

Please give us reasonable time to fix the issue before public disclosure. We’ll provide status updates, expected timelines, and final confirmation when addressed.

Questions? Email nat@iwsa.com.au. Last updated: 11 Aug 2025.