OK RDY and its clients are committed to working with security researchers to help identify and fix vulnerabilities in our systems and services. As long as you act in good faith and abide by the guidelines outlined in this policy, we will make our best effort to commit to the following:
- Provide an initial response to your vulnerability report within five business days
- Determine if we will accept (intend to fix) or reject (identify your report as a false positive or acceptable risk) your vulnerability report within ten business days
- Keep you up to date on progress towards remediation of reports we accept from you
When submitting any vulnerabilities, please consider using the following template to aid in our team’s ability to successfully replicate the issue:
Title: [Please add a one line description of the issue, e.g. “XSS in mail.example.com results in session theft”]
Summary: [Please add a brief description of the vulnerability and why it matters, e.g. Due to a lack of escaping, you can send an email to another user containing an XSS payload that would enable an attacker to steal another user’s cookies containing session information. This would allow the attacker to login to the victim’s account.]
Reproduction Steps: [Please add step-by-step instructions on how to reproduce the vulnerability.]
Attack Scenario and Impact: [How could this be exploited? What security impact does this issue have?]
Remediation Advice: [Optionally, if you have any advice on how this issue could be fixed or remediated, add it here.]
When performing security testing, please adhere to the following guidelines:
- Only test against your own accounts and data (e.g. create test accounts). If you identify a vulnerability that may result in access to other users’ data, please check with us first before testing further.
- If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data.
- Do not perform testing that results in denial of service conditions or degradation of our production services.
- Social engineering is out of scope for this program; do not attempt to socially engineer our organisation or our users.
If you have any further information you would like to submit to us, please contact us via firstname.lastname@example.org