Vulnerability disclosure policy
This page presents the vulnerability disclosure policy for Ondilo products.
We consider that the safety and security of our customers is one of the top priorities. Therefore, we design and make products and services with the best quality and reliability possible. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our products and services.
This document describes Ondilo’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
Everyone is encouraged to report identified vulnerabilities, regardless the type of service or products. Customers, partners, researchers or any other source are welcomed to report the vulnerabilities.
Vulnerability Disclosure Policy
If you believe you have discovered a security vulnerability or have a security incident to report, please submit your report to us using the following link : security@ondilo.com
Please include a detailed description of the possible vulnerability and an email address where we can reach you in case, we need more information.
You should expect confirmation of receipt within seven business days, and periodic status updates until the issue is resolved.
We appreciate your help in making Ondilo products, apps and websites secure.
Guidance
You must not :
- break any applicable law or regulations
- access unnecessary, excessive or significant amounts of data
- modify data in the Ondilo’s systems or services
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
- disrupt the Ondilo’s services or systems
- submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers
- communicate any vulnerabilities or associated details other than by means described in this Policy
- social engineer, ‘phish’ or physically attack the Organisation’s staff or infrastructure
- demand financial compensation in order to disclose any vulnerabilities
You must :
- always comply with data protection rules and must not violate the privacy of the Ondilo’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
- securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).