Responsible Disclosure Policy
At Oort, our mission is to make network security easy for distributed companies. We value the insights of our clients, partners, and the independent security research community, and we welcome the opportunity to work together with this community when vulnerabilities are discovered. We believe that the disclosure of vulnerabilities is essential for improving the quality and security of our product, and the safety of our customers who rely upon it.
If you are a security researcher and have identified a suspected security vulnerability in our product, we appreciate your help in disclosing it to us in a coordinated and responsible manner. If you report a valid security vulnerability in compliance with this Responsible Disclosure Policy (“Policy”), Oort will collaborate with you to understand, validate and resolve the issue.
Responsible disclosure helps us to ensure that our product and infrastructure is tested and reliable. Moreover, our commitment to mitigate vulnerabilities is reassuring for our customers and the security industry as a whole.
Oort's responsible disclosure program is intended to encourage coordinated responsible disclosure. We endeavor to apply industry best practices for coordinated disclosure of vulnerabilities to ensure that customers get the highest quality information and to drive public discussion of methods for improvement of products, protocols, and standards. Unless required by law or law enforcement authorities, Oort does not intend to initiate a lawsuit or law enforcement investigation against a security researcher who discovers and reports a security vulnerability in compliance with this Policy. Oort reserves all rights in the event of noncompliance. If your security research involves the networks, systems, information, applications, products, or services of another party, including a third-party application that is integrated with Oort, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving any other entities.
Your participation in this program is voluntary and subject to the terms and conditions set forth in this Policy. By submitting reports or otherwise participating in this program, you agree that you have read and will follow this Policy. Oort reserves the right to change or modify the terms of this program or terminate this program at any time.
This policy applies to the Oort website, web application, and APIs, and services made available in support of our product at https://oort.io/
We can not and do not authorize testing any other website, web application, API, or service.
Prematurely revealing a vulnerability publicly without first notifying Oort risks harm to our customer organizations, exposing sensitive information, and putting people and organizations in danger of malicious attacks. For this reason, our Responsible disclosure policy asserts a two-phase process:
- 1.First, private disclosure of a potential vulnerability to Oort. Oort will validate the vulnerability, then remedy the vulnerability, and with the cooperation of the individual who has disclosed the vulnerability, test to ensure the remedy has secured the vulnerability against future exploitation.
- 2.Oort then coordinates public disclosure, including publication of a written security advisory including remediation procedures. At the option of the person who has disclosed this vulnerability, Oort will also recognize the security researcher's discovery, confirming that credit is given to the right person(s).
We ask that researchers recognize that our action to investigate, validate and remediate reported vulnerabilities varies based on complexity and severity. We will communicate expected timelines, changes and collaborate where possible. Please submit your findings to [email protected].
We must impose some restrictions in order to facilitate the safety and security of the customers who depend upon our product:
- Vulnerabilities must be disclosed to us privately with a reasonable time to respond, and in accordance with the requirements of this Policy. We will seek to respond quickly to your report. You are not permitted to disclose a vulnerability or otherwise share details about a vulnerability with a third party prior to resolution without express, written permission from Oort.
- You must include detailed information with reproducible steps. We request that researchers provide sufficient technical details and background necessary for us to identify and validate reported issues.
- Oort will disclose known vulnerabilities and their fixes to its customers in a manner that protects the customer first.
- Oort will include credit to the person who first identified the vulnerability in our disclosure only if that disclosure is requested by the one who reported it.
- We will not publicly disclose the identity of any researcher without consent, except where required by law.
Security Testing Requirements
- You must abide by the program scope.
- You must comply with all applicable legal and regulatory requirements, including laws or regulations which govern privacy and data processing.
- You must securely delete any Oort information which may have been downloaded, cached, or otherwise stored on systems used to perform research.
- You may only use or interact with your own accounts for testing purposes. Do not attempt to compromise or otherwise gain access to an account to which you are not authorized.
- Do not exploit a vulnerability for malicious purposes.
- You are prohibited from engaging in any activity that would be disruptive, damaging, or harmful to Oort or its customers. This includes, without limitation:
- social engineering techniques
- malicious software techniques (e.g., viruses, worms, ransomware, etc.)
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)-based attacks.
- testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, or other forms of duplicative or unsolicited messages
- You are prohibited from engaging in any violations of user privacy, trading stolen user credentials, or destroying data.
- You may not access data except to the extent minimally necessary to identify a vulnerability, and use of such data must be limited to that which is necessary to identify and report the vulnerability. You are prohibited from compromising data that is not your own.
- You are prohibited from engaging in any activity that results in you or any third party accessing, acquiring, altering, copying, storing, sharing, transferring, deleting, or otherwise processing customer or employee personal information, or Oort confidential information. If this occurs inadvertently, please stop testing and contact us immediately at [email protected]. As provided above, all copies of such information must be securely deleted upon submission of the vulnerability to Oort.
Please submit a report to us or request additional testing permission before causing damage or engaging in conduct that may be inconsistent with this Policy. If you inadvertently cause a violation of this program Policy, please report the incident immediately to [email protected]
Oort will disclose known vulnerabilities and their fixes to its customers in a manner that protects the customer first. Disclosures made by Oort will include credit to the person who first identified the vulnerability unless otherwise requested by the one who reported it. We are committed to working with security researchers who approach Oort with a shared interest to improve security and the distribution of information that includes both the vulnerability and the solution that addresses it. Oort will publicly acknowledge in a written advisory the work of a security researcher who brings the company valid information about a vulnerability privately and then works with Oort to coordinate the public announcement after a fix or patch has been developed and fully tested within a reasonable amount of time to be effective and deployed by Oort and its customers. We recognize the value of open publication of security analysis, and encourage security researchers to document and publish their findings as a way to help minimize risks for all, and to help users to protect themselves.