Ankor Solutions
Partner With Us
Security & Responsible Disclosure

Security is part of how we deliver.

We take the security of this website, and of every client engagement, seriously. If you have identified a vulnerability, we want to hear about it.

Reporting a Vulnerability

If you believe you have found a security vulnerability in this website or any service we operate, please report it confidentially:

Please include enough detail for us to reproduce and assess the issue: the affected URL, a description of the behavior, reproduction steps, and any supporting context.

What to Expect

  • Acknowledgment of your report within 2 business days.
  • A confidential review by the engineering and operations team.
  • A status update once we have validated and triaged the report.
  • Recognition, if you wish, after a fix has been deployed.

Our Commitments

  • We will not pursue legal action against researchers acting in good faith and within the scope below.
  • We will keep your report confidential and will not share your information without consent.
  • We will work in good faith to resolve verified issues promptly.

Scope & Guidelines

In scope:

  • This website and its publicly available endpoints.
  • Common classes of vulnerability (XSS, CSRF, authorization, injection, sensitive data exposure, configuration weaknesses).

Out of scope / please do not:

  • Run automated scanners that generate substantial traffic.
  • Conduct denial-of-service testing.
  • Access, modify, or destroy data that does not belong to you.
  • Engage in social engineering of staff, partners, or clients.
  • Test physical security or third-party services we do not operate.

Site Security Posture (Summary)

  • Strict Content Security Policy with no inline or remote scripts beyond a tightly allow-listed set.
  • X-Content-Type-Options, Referrer-Policy, and Permissions-Policy enforced on every page.
  • HTTPS-only delivery with HSTS at the edge; frame-ancestors enforced via HTTP header to prevent clickjacking.
  • XSS-safe DOM rendering for all dynamic content; no innerHTML with untrusted data.
  • Form inputs are length-capped, validated, and protected by honeypot and time-trap controls against automated abuse.
  • External links use rel="noopener noreferrer".
  • No third-party JavaScript trackers; no advertising networks; no analytics that share data with third parties without disclosure.

This policy is also discoverable at /.well-known/security.txt per RFC 9116.

Direct

Security contact

Send vulnerability reports to security@ankorusa.com.

Email Security Team
General

Other inquiries

For non-security topics, please use our standard contact form.

Contact Form