Legal

Responsible Disclosure Policy

Last updated: February 2026

1. Introduction

ICG Commercial Group takes the security of our systems seriously. We value the security research community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users and systems.

If you believe you have found a security vulnerability in any of our systems, we encourage you to notify us. We will work with you to resolve the issue promptly.

2. Scope

This policy applies to vulnerabilities found in:

  • The icg.com.na website and its subdomains
  • Any publicly accessible ICG systems or services

The following are explicitly out of scope:

  • Social engineering attacks against ICG staff (phishing, vishing, etc.)
  • Denial of service (DoS/DDoS) attacks
  • Physical security attacks against ICG offices or data centres
  • Third-party services or applications that we use but do not own
  • Findings from automated scanning tools without verified impact

3. Reporting a Vulnerability

Please report security vulnerabilities by emailing security@icg.com.na. Where possible, please encrypt your report using our PGP key (available upon request).

Your report should include:

  • A description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Any supporting evidence (screenshots, proof-of-concept code, logs)
  • Your contact information for follow-up
  • Whether you wish to be credited publicly for the discovery

4. Our Commitments

When you report a vulnerability to us in good faith, we commit to:

  • Acknowledging receipt of your report within 2 business days
  • Providing an initial assessment and expected timeline within 5 business days
  • Keeping you informed of our progress toward remediation
  • Crediting you publicly (if desired) once the vulnerability is resolved
  • Not pursuing legal action against researchers who act in good faith and comply with this policy

5. Guidelines for Researchers

To ensure a positive experience for everyone, we ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not degrade the performance or availability of our services
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Provide us reasonable time to address the vulnerability before any public disclosure (minimum 90 days)
  • Comply with all applicable laws and regulations

6. Safe Harbour

ICG Commercial Group considers security research conducted in accordance with this policy to be authorised activity. We will not pursue civil or criminal action against researchers who comply with this policy. If legal action is initiated by a third party, we will take reasonable steps to make it known that the researcher's actions were conducted in compliance with this policy.

7. Contact

Security reports: security@icg.com.na
General enquiries: info@icg.com.na
Phone: +264 81 340 7620