Vulnerability Disclosure Policy
We take security seriously. If you've found a vulnerability in our systems, we want to hear from you.
Our Commitment
As a security company, we believe in practicing what we preach. We welcome responsible security research on our own systems and commit to working with researchers who discover vulnerabilities.
Scope
The following domains and systems are in scope:
- orasec.co
- www.orasec.co
- ghost.orasec.co
- pentia.orasec.co
- *.orasec.co
Out of Scope
- Physical security testing
- Social engineering of employees
- Denial of service attacks
- Third-party services and integrations
- Spam or low-quality findings
How to Report
Please send vulnerability reports to [email protected]. Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Proof of concept (screenshots, videos, code)
- Potential impact assessment
- Your contact information
For sensitive reports, you may encrypt your email using our PGP key (available on request).
What to Expect
Acknowledgment (24 hours)
We'll confirm receipt of your report and assign a tracking ID.
Triage (72 hours)
Our security team will validate the vulnerability and assess severity.
Resolution (varies)
We'll work on a fix and keep you updated on progress.
Recognition
With your permission, we'll recognize your contribution.
Safe Harbor
We will not pursue legal action against researchers who:
- Act in good faith and follow this policy
- Avoid privacy violations and data destruction
- Do not degrade our services for users
- Give us reasonable time to fix issues before disclosure
Recognition
While we don't currently offer monetary bounties, we recognize researchers on our security hall of fame (with permission) and provide swag for significant findings. We're always happy to serve as a reference for security researchers.