Our Commitment to Security
TokenWorks Inc. takes the security of our products, services, and customer data seriously. We develop and maintain identity verification solutions used across thousands of locations, and we recognize that independent security research plays an important role in identifying vulnerabilities before they can be exploited.
We welcome responsible disclosure from security researchers, customers, and members of the public. This policy describes how to report a vulnerability and what you can expect from us in return.
Scope
This policy covers vulnerabilities in:
-
IDVisor Smart and IDVisor Smart Plus hardware and firmware
-
IDScanner.com cloud-based services and web applications
-
IDVisor Sentry and IDentiFake software
-
IDentiSync User Management System (UMS)
-
The tokenworks.com and idscanner.com websites and APIs
If you are unsure whether a system is in scope, please report it anyway and we will confirm.
Out of scope:
-
Vulnerabilities in third-party services not operated by TokenWorks (e.g. Microsoft Azure, Google Workspace)
-
Social engineering or phishing attacks targeting TokenWorks employees
-
Physical security testing of TokenWorks facilities
-
Denial of service (DoS/DDoS) attacks
-
Issues in end-of-life products that no longer receive security support
How to Report
Please submit vulnerability reports by email to:
Include the following in your report:
-
A description of the vulnerability and the potential impact
-
The product or service affected and version (if known)
-
Step-by-step instructions to reproduce the issue
-
Any proof-of-concept code, screenshots, or supporting materials
-
Your name and contact information (optional — anonymous reports are accepted)
We accept reports in English. PGP encryption is available on request.
What to Expect From Us
|
Milestone |
Target timeframe |
|---|---|
|
Acknowledgment of your report |
Within 3 business days |
|
Initial assessment and severity classification |
Within 10 business days |
|
Remediation or mitigation in progress |
Within 30 days for critical/high; 90 days for medium/low |
|
Notification to you when the issue is resolved |
Upon release of fix |
We will keep you informed throughout the process. If we need additional information to reproduce or assess the vulnerability, we will reach out promptly.
Our Commitments to Researchers
If you follow this policy and report in good faith, TokenWorks commits to:
-
Acknowledge and respond to your report within 3 business days
-
Not pursue legal action against you for security research conducted under this policy
-
Work with you to understand and remediate the issue
-
Credit you in our release notes or communications (if you wish to be named)
-
Not share your personal information with third parties without your consent
We do not currently offer monetary bounties, but we deeply value responsible disclosure and will recognize contributors where possible.
Researcher Guidelines
To qualify for the protections above, please:
-
Do not access, modify, or delete data that belongs to others
-
Do not disrupt production services or degrade performance for real users
-
Do not exploit a vulnerability beyond what is necessary to demonstrate it
-
Do not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it (coordinated disclosure)
-
Do not use automated scanning tools against production environments without prior written approval
Coordinated Disclosure
We ask that you allow us a reasonable time to address the vulnerability before any public disclosure. We typically ask for 90 days from the date of our acknowledgment, though we will work with you on timing if a shorter or longer window is appropriate.
Enterprise Partners
If you are a TokenWorks enterprise partner or customer and have identified a security issue, please contact your designated TokenWorks account representative directly in addition to filing a report at security@tokenworks.com. For urgent incidents, call TokenWorks support at 1-800-574-5034
Questions
For questions about this policy, contact: security@tokenworks.com