At IceWhale, security is a top priority. This document outlines our security disclosure process, scope, and guidelines for reporting vulnerabilities.

We are committed to:

• Transparent and responsible disclosure.
• Prompt resolution of security issues.
• Public acknowledgment of contributors who help us improve.

In Scope:

• ZimaOS (Latest version Only)
• ZimaBoard hardware + firmware
• ZimaCube hardware + firmware
• Official IceWhale services

Out of Scope:

• Third-party services or software not developed by IceWhale.
• Physical attacks requiring device theft or tampering.
• Social engineering attacks (phishing, scams).
• Denial-of-service (DoS) attacks that do not reveal exploitable flaws.
• Exploit working on older version of browser.

If you discover a potential vulnerability:

• Please email us at [email protected] or open a report via GitHub Security Advisories.
• Include:
  • Steps to reproduce
  • Impact assessment
  • Affected version(s)
  • Suggested fixes (if possible)

We aim to acknowledge reports within 10 business days and provide updates throughout the triage and fix process.

• We follow a 90-day disclosure timeline (aligned with industry standards).
• If a fix is released earlier, we may disclose sooner.
• Contributors will be acknowledged in our Hall of Fame and/or advisories.

We thank the security researchers who responsibly disclosed vulnerabilities:

• DrDark1999 - Multiple CVEs in ZimaOS

• 📧 Email: [email protected]
• 🌐 GitHub: IceWhale Security Advisories