Responsibility Vulnerability Disclosure Program

Purpose

OnSecurity invites security researchers, partners, and customers to responsibly report vulnerabilities in our public services, products, and systems. This policy lays out how to report, what we cover, what we don’t, and what you can expect from us. Acting in good faith under this policy provides a safe harbour for researchers who comply.

Scope 

In-Scope

• OnSecurity-owned public-facing systems: the web portal (app.onsecurity.io), API endpoints, authentication systems, domain assets, external facing infrastructure.
  • Typical in-scope issues include OWASP Top 10 categories, vulnerabilities affecting Confidentiality, Integrity, Availability.  

Out of Scope

• Physical offices, internal staff-only systems or private admin tools (unless otherwise agreed).
• Denial of Service (DoS) attacks, social engineering, physical intrusions, brute force attacks, or attacks involving data harvesting.
• Third-party services we consume (e.g., SaaS outside of OnSecurity domain).

Rules of Engagement

You agree to:

• Act in good faith only to exploit the vulnerability to the degree needed to demonstrate risk; do not degrade or disrupt our systems.
• Avoid Denial of Service, social engineering, phishing employees, or compromising non-consenting data.
• Limit access strictly to what’s necessary (e.g., don’t access data outside of proof-of-concept).
• For injection, authentication, authorisation, encryption, logic flaws, or operational vulnerabilities—demonstrate via safe proof-of-concept, logs, screenshots (redacted if personal data).
• If your investigation inadvertently accesses personal data: notify us immediately, stop accessing further, and delete it from your environment.

Legal Safe Harbour

If you comply in good faith in line with our rules of engagement and scope you will not face legal action or requests for damages from OnSecurity.

However, this policy does not cover willful harm, data theft, extortion, deliberate destruction, exploitation beyond proof-of-concept, or publication before remediation.

Reporting Process

Send your report to: [email protected] please include:

• Affected service/asset (e.g., app.onsecurity.io, API endpoint, domain).
• Vulnerability type and high-level classification (e.g., cross-site scripting, privilege escalation, auth bypass).
• Clear steps to reproduce, sample payload, screenshots, logs (redacted).
• Your contact information (email) to communicate progress—optional but encouraged.

Response Timeline

• We’ll acknowledge receipt within 3 business days.
• We’ll update you on progress within 10 business days of acknowledgement (unless resolved earlier).

Data Handling & Privacy

• Any data you access solely to confirm a vulnerability must be deleted once the issue is resolved or upon our request.
• If you encounter real user personal data (PII), do not retain or disseminate it; notify us immediately.
• OnSecurity will process your report and personal data in line with our Privacy Policy and applicable laws.

Reward

OnSecurity offers impact-based payouts or ‘Swag-Packs’  depending on the severity of the confirmed vulnerability. 

• Reports must include a working proof-of-concept to qualify.
• Rewards are determined at OnSecurity’s discretion based on impact, exploitability, and report quality.
• Duplicate reports are rewarded on a first-come-first-served basis.