Responsible Disclosure Policy

Effective Date: May 11, 2026
Last Updated: May 11, 2026

Octelligence Inc. values the work of independent security researchers and welcomes good-faith reports of vulnerabilities affecting our products, websites, and infrastructure. This policy describes what is in scope, how to report a vulnerability, the safe harbor we provide to good-faith researchers, and what to expect after you report.

On this page
1. Scope 2. Out of Scope 3. Safe Harbor 4. How to Report 5. What to Include 6. What to Expect 7. Coordinated Disclosure 8. Recognition 9. Legal

1. Scope

This policy covers vulnerabilities in the following systems:

  • octelligence.com and its subdomains, except where listed as out of scope.
  • app.octelligence.com and the production Octelligence platform.
  • Public APIs operated by Octelligence.
  • Authentication systems, session management, and account-recovery flows operated by Octelligence.

Examples of vulnerabilities we are interested in include authentication bypass, broken access controls, server-side request forgery, remote code execution, SQL injection, cross-site scripting affecting authenticated sessions, sensitive data exposure, and significant business-logic flaws.

2. Out of Scope

The following are out of scope. Please do not test against them:

  • Third-party services not operated by Octelligence (for example, Stripe, AWS, Postmark, Google Analytics). Report issues with those services to their respective security teams.
  • Findings produced only by automated scanners without demonstrable real-world impact.
  • Denial-of-service, volumetric, brute-force, or resource-exhaustion attacks.
  • Social engineering, phishing, or physical attacks against our employees, contractors, customers, or facilities.
  • Reports based solely on missing security headers, lack of best-practice configurations, or theoretical issues without demonstrated impact.
  • Email spoofing related issues (such as SPF, DKIM, or DMARC misconfigurations) unless paired with a working exploit.
  • Self-XSS or vulnerabilities that require physical access to the victim's device or browser session.
  • Reports about software versions without a corresponding working exploit.
  • Findings in test, staging, or experimental environments not intended for production use.

3. Safe Harbor

If you make a good-faith effort to comply with this policy during your research, Octelligence will:

  • Consider your research authorized under applicable computer-crime, contract, and intellectual-property laws, including the Computer Fraud and Abuse Act and equivalent laws in other jurisdictions, to the extent we have authority to grant such authorization.
  • Not initiate or support legal action against you for accidental or good-faith violations of this policy.
  • Work with you to understand and resolve the issue quickly.

To remain within safe harbor, you must:

  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or alteration of data.
  • Use only your own accounts, or accounts you have explicit permission to test. Do not access, modify, or exfiltrate data belonging to other users.
  • Stop testing and report immediately if you encounter any sensitive personal information, credentials, or proprietary data.
  • Give us reasonable time to investigate and remediate before publicly disclosing.
  • Comply with all applicable laws.
Safe harbor under this policy applies only to actions taken in accordance with this policy. Activities outside the scope of this policy, or that violate applicable law, are not authorized.

4. How to Report

Send vulnerability reports to:

Please do not report security vulnerabilities through public channels such as social media, GitHub issues, or our public contact form.

5. What to Include

To help us evaluate and reproduce your report quickly, please include:

  • A clear description of the vulnerability and the affected URL, endpoint, or feature.
  • Step-by-step instructions to reproduce the issue.
  • A description of the impact, including what an attacker could realistically achieve.
  • Any proof-of-concept code, screenshots, or HTTP traces, redacted of personal data.
  • Your name or handle (if you wish to be credited) and a way to reach you.

6. What to Expect

After you submit a report, you can expect the following timeline:

  • Within 3 business days: an acknowledgement that we received your report.
  • Within 10 business days: an initial assessment, including whether the issue is in scope and a preliminary severity rating.
  • Ongoing: periodic updates as we investigate and remediate.
  • On resolution: notice that the issue has been fixed and, where appropriate, credit in our acknowledgements.

We treat all reports as confidential and will only share details with personnel and trusted partners who need them to investigate or remediate.

7. Coordinated Disclosure

We ask that you give us a reasonable period to remediate before publicly disclosing details of a vulnerability. Our default coordinated-disclosure window is ninety (90) days from the date we acknowledge the report, with the option to extend by mutual agreement when remediation requires additional time. We are happy to coordinate timing of any public write-up and to credit researchers who follow this process.

8. Recognition

We maintain a security acknowledgements list to thank researchers who have responsibly disclosed valid vulnerabilities. We do not currently operate a paid bug-bounty program; researchers who wish to be credited should indicate this in their report. We may offer recognition gifts at our discretion for high-impact reports.

This policy does not waive any rights or obligations under our Terms of Service or applicable law beyond the safe harbor expressly described above. We may update this policy from time to time. Material changes will be reflected by a revised "Last Updated" date.