Responsible Vulnerability Disclosure Program

Last updated: 15th April 2026

Purpose

OnSecurity invites security researchers, partners, and customers to responsibly report vulnerabilities in our public services, products, and systems. This policy lays out how to report, what we cover, what we don’t, and what you can expect from us. Acting in good faith under this policy provides a safe harbour for researchers who comply.

Rules of Engagement  

You agree to:

• Not disrupt business operations. This includes booking any services via our platform. Creating bookings or engaging our services triggers a range of internal processes, including financial and payment workflows. These are not lightweight actions and have real operational impact on our team.
• Not use credentials that do not belong to you, including those obtained from public or private breach databases, infostealer logs, or credential dumps. Testing with stolen credentials may constitute unauthorised access regardless of the source.
• Act in good faith only to exploit the vulnerability to the degree needed to demonstrate risk; do not degrade or disrupt our systems.
• Avoid Denial of Service, social engineering, phishing employees, or compromising non-consenting data.
• Limit access strictly to what’s necessary (e.g., don’t access data outside of proof-of-concept).
• For injection, authentication, authorisation, encryption, logic flaws, or operational vulnerabilities—demonstrate via safe proof-of-concept, logs, screenshots (redacted if personal data).

If your investigation inadvertently accesses personal data, notify us immediately, stop accessing further, and delete it from your environment 

Scope

In-Scope 

• OnSecurity-owned public-facing systems: the web portal (app.onsecurity.io), API endpoints, authentication systems, domain assets, external facing infrastructure.

Out of Scope 

• Third-party services we consume (e.g., SaaS outside of the OnSecurity domain).
• Physical offices, internal staff-only systems or private admin tools.
• Denial of Service (DoS) attacks, social engineering, physical intrusions, brute force attacks, or attacks involving data harvesting.
• Credential stuffing or account testing using leaked, stolen, or purchased credentials.
• Certain vulnerabilities are considered out-of-scope. These are as follows:

• Vulnerabilities in third-party libraries without showing specific impact to the target application (e.g. a CVE with no exploit).
• Vulnerabilities in third-party libraries or vendor products without demonstrated, specific impact to an OnSecurity application or system are out of scope. This includes version fingerprinting, scanner output identifying a known CVE, or theoretical risk assessments without proof of exploitability. However, reports demonstrating impact will be evaluated on case-by-case basis
• Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists).
• Man-in-the-Middle attacks.
• Vulnerabilities involving physical access to a device.
• Host header injections without impact (must show impact, for example exfiltrating a password reset token or similar).
• Vulnerabilities found through DDoS or spam attacks. Do not attempt or execute DDoS attacks.
• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls, sending the attacker a token or similar, which otherwise cannot be retrieved by the attacker
• Self-XSS, which cannot impact other users. For example, an XSS which requires the victim to copy and paste a payload into the browser console or similar.
• Login/logout CSRF.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Tab-nabbing.
• Missing flags on cookies.
• Missing security headers (eg. HSTS, CSP, SPF, DMARC).
• Content spoofing without embedding an external link or JavaScript.
• Infrastructure vulnerabilities with no demonstrated impact, including: Issues related to SSL certificates, DNS configuration issues.
• Server configuration issues without any legitimate impact (e.g. open ports, TLS versions, etc.)
• Information disclosure of public or non-protected information.
• Subdomain takeovers are out of scope unless a harmless POC can be provided by writing “OnSecurity POC” on the affected subdomain.

Legal Safe Harbour

If you comply in good faith in line with our rules of engagement and scope you will not face legal action or requests for damages from OnSecurity.

However, this policy does not cover willful harm, data theft, extortion, deliberate destruction, exploitation beyond proof-of-concept, or publication before remediation.

Reporting Process

Send your report to: [email protected] please include:

• Affected service/asset (e.g., app.onsecurity.io, API endpoint, domain).
• Vulnerability type and high-level classification (e.g., cross-site scripting, privilege escalation, auth bypass).
• Clear steps to reproduce, sample payload, screenshots, logs (redacted).

Your contact information (email).

Data Handling & Privacy

• Any data you access solely to confirm a vulnerability must be deleted once the issue is resolved or upon our request.
• If you encounter real user personal data (PII), do not retain or disseminate it; notify us immediately.
• OnSecurity will process your report and personal data in line with our Privacy Policy and applicable laws.

Reward

OnSecurity offers impact-based payouts or ‘Swag-Packs’  depending on the severity of the confirmed vulnerability. 

• Reports must include a working proof-of-concept to qualify.
• Rewards are determined at OnSecurity’s discretion based on impact, exploitability, and report quality.
• Duplicate reports are rewarded on a first-come-first-served basis.