Report a vulnerability.

Email security@primex.it.com with:

• A clear description of the issue
• Steps to reproduce or a minimal proof-of-concept
• Your assessment of the impact

Please email us first instead of posting publicly. If the report is time-sensitive (active exploitation, data at risk), put [URGENT] in the subject line.

In-scope for responsible disclosure:

• The primex.it.com production web app
• The PrimeX database schema and access policies
• The PrimeX mobile apps on the App Store and Play Store
• The hosting infrastructure, DNS, and CI pipelines

Out of scope:

• Issues in third-party services we depend on — please report those upstream to the provider
• Social engineering of PrimeX staff or customers
• Denial-of-service, volumetric, or stress-testing attacks
• Issues requiring an attacker to already have physical device access

We will not pursue legal action against researchers who follow this policy in good faith, do not exfiltrate or share customer data, do not disrupt service for other users, and give us a reasonable window to fix the issue before public disclosure.

If you're unsure whether something is in scope, email first and we'll work it out together.

• Critical (auth bypass, tenant cross-read, RCE): patch in 7 days, coordinated disclosure 30 days after patch.
• High (privilege escalation, sensitive data exposure): patch in 14 days, disclosure 60 days after patch.
• Medium (DoS, business-logic flaws): patch in 30 days, disclosure 90 days after patch.
• Low (misconfig, minor info leak): next release, disclosure at our discretion.

We do not currently run a paid bug bounty. We will credit researchers in our release notes and post-mortems when they wish to be named.