Security & Responsible Disclosure – ImmerTwin™

Effective date: 01 February 2026
Last updated: 01 February 2026

ImmerTwin™ takes security seriously. This Security & Responsible Disclosure statement explains how to report security vulnerabilities affecting:

  • immertwin.com (the “Website”), and

  • tours.immertwin.com (the “Tours Site”),
    together referred to as the “Online Services”.

If you believe you have found a security vulnerability, please report it responsibly so we can investigate and remediate it.

Security contact: contact@immertwin.com
(Use the subject line: “Security Report – Responsible Disclosure”)

1) Scope

This policy covers security vulnerabilities that may impact the Online Services, including:

  • website pages, forms, and authentication/access controls (where present),

  • tour pages and access restrictions (public/unlisted/restricted),

  • configuration and integrations that materially affect security.

Third-party platforms and services integrated into the Online Services may have their own security programmes. If an issue is clearly within a third-party system, we may direct you to report it to the relevant provider.

2) How to report a vulnerability

Email contact@immertwin.com with:

  • the affected URL(s),

  • a clear description of the issue and potential impact,

  • step-by-step reproduction instructions (proof of concept where possible),

  • what you expected to happen vs what happened,

  • any screenshots or logs that help explain the issue,

  • your environment (device, OS, browser),

  • whether you believe data may be exposed (and what type),

  • your preferred contact details for follow-up.

Please avoid sending sensitive personal data unless it is strictly necessary to demonstrate the issue, and only include the minimum needed.

3) What we ask you to do (responsible disclosure expectations)

We ask that you:

  • act in good faith and minimise disruption,

  • only test against accounts/data you own or have explicit permission to use,

  • stop testing once you have confirmed the presence of a vulnerability,

  • give us reasonable time to investigate and remediate before disclosing publicly,

  • do not exploit the vulnerability beyond what is necessary to confirm it exists,

  • do not access, download, modify, or delete data belonging to others.

4) What is not permitted

To protect our users and systems, you must not:

  • perform denial-of-service (DoS/DDoS) tests or other availability attacks,

  • use social engineering, phishing, or physical security attacks,

  • attempt credential stuffing, brute force, or password attacks,

  • use automated scanning that materially impacts performance,

  • exfiltrate data, copy large volumes of content, or scrape restricted tours,

  • make changes to data you do not own or do not have permission to change.

If you are unsure whether a test is permitted, ask us first at contact@immertwin.com.

5) Coordinated disclosure and timelines

We aim to:

  • acknowledge your report as soon as reasonably possible,

  • assess severity and confirm whether the issue is reproducible,

  • work on remediation and keep you informed where practical.

Remediation timelines vary depending on complexity, severity, and whether third-party providers are involved. Where appropriate, we may request that you keep the report confidential until a fix or mitigation is in place (coordinated disclosure).

6) Safe harbour (good-faith research)

We will not pursue legal action against researchers who:

  • follow this policy,

  • act in good faith,

  • avoid privacy violations and service disruption, and

  • do not exploit the issue for gain.

This does not authorise testing that is illegal or that violates the rights of others. This statement applies only to the extent permitted by applicable law.

7) Confidentiality and data handling

We treat vulnerability reports as confidential. We may share details only as necessary to investigate and remediate (for example, with hosting providers, platform partners, or security consultants), and only with appropriate safeguards.

If personal data is involved, we may take additional steps consistent with our Privacy Policy and legal obligations.

8) Recognition

We may acknowledge security reporters (for example, by name) in release notes or a thank-you message, subject to your permission and the nature of the report.

9) Changes to this statement

We may update this Security & Responsible Disclosure statement from time to time. The “Last updated” date at the top indicates the current version.