Vulnerability Disclosure Policy.

IDnow values the contributions of the security research community. If you believe you have found a security vulnerability in an IDnow product, service, or system, we want to hear from you. This policy explains how to report a vulnerability, what is in scope, the rules for security testing, and what you can expect from us in return.

To report a vulnerability, email security@idnow.io. This document is classified as public information under IDnow’s Classification of Information Policy.

Scope

This policy applies to any external stakeholder who may have an interest in reporting vulnerabilities to IDnow, such as customers, vendors, providers, or individual researchers.

Potentially all assets developed or maintained by IDnow are in scope. This includes those developed by the former identity Trust Management AG/GmbH and ARIADNEXT SAS, who are now part of the IDnow group. Assets owned by customers of IDnow are out of scope.

We encourage all stakeholders to conduct their security tests, where possible, in our testing environments. These are listed under Testing environments below.

Legal posture

  1. IDnow values the contributions of security researchers in identifying vulnerabilities for our products and services. IDnow therefore openly welcomes reports on vulnerabilities for the assets mentioned in the Scope section.
  2. IDnow commits not to take legal action against stakeholders who conduct security research, security scans, or vulnerability testing, provided that: (a) they do not damage IDnow or its customers in any way; and (b) the scope of the activities is limited to the assets described in the Scope section.
  3. The security tests must adhere to applicable laws in the researcher’s jurisdiction and the jurisdiction of IDnow. Actions that might technically violate certain laws but only result in a claim by IDnow (and not a criminal charge) are acceptable if they are intended to improve our systems (for example, circumventing a security control under authorization).
  4. Vulnerabilities must not be publicly disclosed, either in whole or in part, until the mutually agreed-upon timeframe has expired.

Prohibited actions

In line with the legal posture outlined above, the following actions are expressly prohibited:

  1. Performing tests that may disrupt IDnow or its users, such as spam, load tests, brute force attacks, or Denial of Service (DoS) attacks.
  2. Accessing information beyond what is necessary to demonstrate a valid proof of concept.
  3. Destroying or corrupting any data belonging to IDnow.
  4. Engaging in physical or electronic attacks on IDnow personnel, property, or data centers.
  5. Using social engineering tactics against any IDnow employee, agent, or contractor.
  6. Conducting vulnerability tests on participating services without using designated test accounts.

Testing environments

Where possible, please conduct your security tests against the following publicly available domains in our testing environments:

  • *.test.idnow.de
  • *.test.idnow.io
  • *-sandbox.ariadnext.io
  • *-test.idcheck.io
  • *-demo.ariadnext.com
  • *-test.ariadnext.com
  • *-demo.yris.eu
  • integration.idvos.de
  • studio.eu.platform.idnow.sx

Before you start testing

  1. Where possible, please notify security@idnow.io when you plan to start testing, so that we can better understand alerts from our monitoring systems.
  2. If you need special access to a test account, you can contact us at security@idnow.io.

How to report a vulnerability

  1. Reports must be sent to security@idnow.io.
  2. For the report to be considered, it should: (a) be well written, preferably in English; (b) include a proof of concept; and (c) detail the way the vulnerability was found.
  3. Reports that mostly consist of automated tool output will probably not be accepted.

Coordinated disclosure

If applicable, IDnow will coordinate a public notification of a validated vulnerability with you. We kindly request that our respective public disclosure statements are posted simultaneously.

What you can expect from us

IDnow would like to thank any researcher dedicated to improving information security. What you can expect from us:

  1. A timely response to your notification, typically within 2 business days.
  2. An open dialogue to discuss the issue.
  3. Notification when the vulnerability assessment has been completed, along with the expected timeline for the patch, fix, or mitigation.
  4. Credit after the vulnerability has been validated and fixed.

Version 2.1.0 — 2026-02-03