Security Policy

Osmerion Vulnerability Disclosure Policy

At Osmerion, the security of our systems and the privacy of our users are paramount. The Osmerion Vulnerability Disclosure Policy (the "Policy") is designed to foster an environment where security researchers are encouraged to disclose vulnerabilities and work with us to mitigate potential security issues. We strongly encourage responsible vulnerability research. This policy describes how to report vulnerabilities and is intended to provide a legal foundation for security researches to conduct their work.

Scope

This policy applies to any Osmerion software and services unless explicitly stated otherwise (e.g. in an open-source software's security policy).

Guidelines

The below rules have been developed to encourage vulnerability research and to distinguish between legitimate research and malicious attacks. We ask that you comply with this Policy by adhering to the following guidelines:

Play by the rules. This includes following this Policy and any other relevant agreements;
Report any vulnerability you’ve discovered to us promptly and in accordance with this policy;
Avoid violating the privacy of others, disrupting our systems, destroying or manipulating data, and/or harming user experience; and
You should only interact with test accounts you own or that you access with explicit permission from the account holder.

Safe Harbor

Osmerion will not initiate legal action action against individuals or organizations who discover and report vulnerabilities in accordance with this policy if good faith effort to comply with this policy is made. We consider any security research conducted under these guidelines to be:

Authorized in view of any applicable anti-hacking laws (including by not limited to Computer Fraud and Abuse Act (CFAA) (and/or similar state laws)), and we will not initiate or pursue legal action against you for accidental, good faith violations of this Policy;
Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
Exempt from Digital Millennium Copyright Act (DMCA) with respect to the circumvention of the technological measures and controls we have used to protect our applications;
Exempt from any restrictions in our Terms of Use that would prohibit or limit such research, and we waive those restrictions on a limited basis for research conducted in accordance with this Policy; and
Conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels before proceeding with such research.

Third-Party Vulnerabilities

If you submit a report in accordance with this policy which affects or is identified to be caused by a third-party product, Osmerion may share relevant information with the affected third party. Except as required by law, we will not share your identifying information with any affected third party without first notifying you.

Rewards & Acknowledgements

At this point in time, Osmerion does not offer any rewards or acknowledgements for reported vulnerabilities. If you wish, you may retroactively receive acknowledgement if this policy is amended.

Contact

Please report vulnerabilities to [email protected]. The GPG key below can be used to encrypt emails.

GPG Key ID: 2DD6C8F45D881F4CD43BF87005D56D508E9AAC58