We found some issues regarding security.
Please check this scenario:
In the login page https://incontrol2.peplink.com/login you have an option to choose sign up as a new member. create a new user.
Also in the Max-BR router you have the message of the Incontrol management that redirect you to the Incontrol web site and gives you the management page.
It seems that if someone attacked the router and get an access to the managment of the router he can click on this link and redirect to the Incontrol even if he do not have permission. He cannot see all the information about the organisation but he can check the request and see the JSON file with all the information regarding the organisation of this router.
Also check what happened if the user without permission catch a package with the organisation number and device