Vulnerability disclosure policy

This page presents the vulnerability disclosure policy for Ondilo products.

We consider that the safety and security of our customers is one of the top priorities. Therefore, we design and make products and services with the best quality and reliability possible. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our products and services.

This document describes Ondilo’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

Everyone is encouraged to report identified vulnerabilities, regardless the type of service or products. Customers, partners, researchers or any other source are welcomed to report the vulnerabilities.

Vulnerability Disclosure Policy

If you believe you have discovered a security vulnerability or have a security incident to report, please submit your report to us using the following link : security@ondilo.com

Please include a detailed description of the possible vulnerability and an email address where we can reach you in case, we need more information.

You should expect confirmation of receipt within seven business days, and periodic status updates until the issue is resolved.

We appreciate your help in making Ondilo products, apps and websites secure.

Guidance

You must not :

break any applicable law or regulations
access unnecessary, excessive or significant amounts of data
modify data in the Ondilo’s systems or services
use high-intensity invasive or destructive scanning tools to find vulnerabilities
attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
disrupt the Ondilo’s services or systems
submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers
communicate any vulnerabilities or associated details other than by means described in this Policy
social engineer, ‘phish’ or physically attack the Organisation’s staff or infrastructure
demand financial compensation in order to disclose any vulnerabilities

You must :

always comply with data protection rules and must not violate the privacy of the Ondilo’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.