.png){kind=small}
Available on
If you believe you have found a security vulnerability in an iCrimeFighter product or service, we want to hear from you. This policy explains how to report it, what you can expect from us, and the boundaries of good-faith research that we will not pursue legally.
Effective May 2026
Send your report to the security contact below. Please include enough detail for us to reproduce and validate the issue: the affected URL or component, a description of the vulnerability, the steps to reproduce it, and any supporting material such as request/response captures or proof-of-concept code.
Please report the issue privately and give us a reasonable opportunity to remediate before any public disclosure.
Are you a customer? This channel is for security researchers reporting vulnerabilities. If you are a licensed agency with a product question, support need, or account issue, please use your normal iCrimeFighter support channel instead — it will reach the right team faster.
We will not pursue or support legal action against you for security research conducted in accordance with this policy. If you make a good-faith effort to comply with it, we will consider your research authorized, work with you to understand and resolve the issue quickly, and recognize your contribution if you wish.
Good faith means: you act to avoid privacy violations, data destruction, and service interruption; you do not access, modify, or retain data that does not belong to you; and you give us a reasonable time to respond before disclosing.
Because iCrimeFighter stores criminal justice information governed by the FBI CJIS Security Policy, some common testing techniques are strictly prohibited. The following activities are not authorized under any circumstance:
If a vulnerability exposes customer or evidence data, stop immediately and do not access further. Any customer, end-user, employee, or business data you access inadvertently must not be used, stored, recorded, copied, or disclosed to anyone, and must be deleted once it is no longer needed to document the report. You must declare any such access as part of your report. Given the criminal justice information involved, this requirement is strict and non-negotiable.
We do not operate a paid bug bounty program and do not offer monetary compensation for vulnerability reports. We genuinely appreciate the effort that goes into responsible research, and with your permission we are glad to publicly recognize researchers who help improve our security.
With your consent, we will add your name to our security acknowledgements if you are the first to report a previously unknown, valid, in-scope vulnerability and you have followed this policy. Recognition is offered at our discretion.
Please note: Unsolicited invoices, payment demands, or offers of paid monitoring, scanning, or remediation services are not part of this program and will not be accepted. Submitting a report does not create any expectation of payment.
We confirm receipt of your report within two business days.
We investigate and work to reproduce the issue, and we may contact you for additional detail.
We prioritize a fix based on severity and impact, and keep you informed of meaningful progress.
We confirm resolution and, with your consent, recognize your contribution.
At-Scene LLC — makers of iCrimeFighter. This policy may be updated from time to time; the machine-readable security contact is maintained at /.well-known/security.txt in accordance with RFC 9116.