ProntoID processes sensitive identity and biometric data on behalf of people and businesses worldwide. Any unauthorized attempt to access, probe, disrupt or exploit our systems is strictly prohibited and may be unlawful. This page explains what is forbidden, the consequences, and how to report a vulnerability the right way.
This disclaimer applies to all ProntoID websites, subdomains, applications, APIs and infrastructure — including, without limitation, prontoid.com, verify.prontoid.com, secure.prontoid.com, developer.prontoid.com and api.prontoid.com — together with all data, accounts and services accessible through them.
It applies to every visitor, user, customer, integrator and third party. By accessing or using any part of the service, you agree not to engage in the activities described below. This policy supplements, and does not replace, our Terms of Service, Privacy Policy and any contract you may have with us.
The following are expressly forbidden. This list is illustrative, not exhaustive.
Attempting to access any account, system, API, dashboard, database or record that you are not expressly authorized to access.
Port scanning, vulnerability scanning, fuzzing or any automated probing of our infrastructure without prior written authorization.
Exploiting, or attempting to exploit, any vulnerability to gain access, escalate privileges, alter data or extract information.
Circumventing, disabling or defeating authentication, authorization, rate-limiting, liveness or fraud-prevention controls.
Scraping, harvesting or bulk-extracting personal data, verification records, document images or biometric data of any kind.
Uploading, transmitting or injecting malware, ransomware, worms, trojans or any other malicious or destructive payload.
Denial-of-service, flooding, resource exhaustion or any action that degrades the availability or integrity of the service for others.
Phishing, pretexting or otherwise deceiving our staff, contractors or users in order to obtain credentials, access or sensitive data.
Reverse-engineering, decompiling or disassembling our software for the purpose of bypassing security or extracting secrets or keys.
Forging identities, presenting deepfakes, masks or replayed media, or spoofing devices in an attempt to defeat identity verification.
ProntoID is operated from Switzerland by Brooks & Keitt Sàrl (Place du Midi 30, 1950 Sion). Unauthorized interference with our systems is an offence under the Swiss Criminal Code, including:
Because our users are located around the world, foreign computer-misuse and data-protection laws may also apply. We cooperate with law-enforcement authorities across jurisdictions and will support cross-border investigations where appropriate.
We welcome good-faith security research. Follow these rules of engagement and we will not pursue legal action against you.
Email a clear description, affected endpoints and a minimal proof-of-concept to security@prontoid.com. Do not disclose the issue publicly until we have confirmed a fix.
Use only your own test accounts and data. Stop at the first confirmation of a vulnerability — do not pivot, exfiltrate, or access data that is not yours.
Allow a reasonable period to investigate and remediate. We will keep you informed of progress and triage outcomes throughout.
No denial-of-service, no social engineering of our people, no physical attacks, and no degradation of the service for other users.
Email vulnerabilities to security@prontoid.com. For platform abuse, contact abuse@prontoid.com.
The safe-harbour commitment above applies only to research conducted in good faith and in full compliance with these rules. Activity that accesses other people's data, disrupts the service, or continues after a vulnerability is confirmed falls outside it. If you are unsure whether something is authorized, ask us first.
ProntoID does not offer monetary rewards for vulnerability reports. We are grateful for responsible disclosure and are glad to credit researchers publicly where they wish, but please report because it is the right thing to do — not in expectation of payment.
Demanding payment is not research. Conditioning the disclosure of a vulnerability on a payment, threatening to publish, leak or sell findings unless you are paid, or otherwise pressuring us for money places you outside this safe harbour entirely. Such conduct may constitute extortion under Art. 156 of the Swiss Criminal Code, in addition to any access offences, and will be treated accordingly.
Yes — but only through our coordinated vulnerability disclosure programme and strictly within the rules of engagement described on this page. Good-faith research that follows those rules is welcomed; unauthorized probing or exploitation outside them is prohibited.
Responsible disclosure means finding a weakness in good faith, staying within agreed limits, accessing only your own data and reporting privately so it can be fixed. Hacking, in the sense prohibited here, means unauthorized access, exploitation or data extraction. The intent, the authorization and the conduct are what separate the two.
ProntoID is operated from Switzerland by Brooks & Keitt Sàrl, so the Swiss Criminal Code applies — in particular Art. 143 (unlawful obtaining of data), Art. 143bis (unauthorized access to a data-processing system) and Art. 144bis (damage to data). Because our users span many countries, foreign computer-misuse and data-protection laws may also apply and we cooperate with authorities across jurisdictions.
We will not pursue legal action for security research that is conducted in good faith and in full compliance with the rules of engagement on this page. If you are unsure whether an activity is authorized, contact us before you proceed.
No. ProntoID does not operate a paid bug-bounty programme and offers no monetary reward for reports. We are happy to credit researchers publicly where they wish. Submitting a report creates no obligation on our part, and demanding payment, or threatening to publish or sell findings unless paid, falls outside our safe harbour and may constitute extortion under Swiss law.
Email security@prontoid.com for vulnerabilities and abuse@prontoid.com for misuse of the platform. Include enough detail for us to reproduce and assess the issue. Please do not post details publicly until a fix has been released.
If you see something, say something. Report vulnerabilities responsibly and help us keep millions of identities safe.
Good-faith research welcome · Confidential handling · Coordinated disclosure