OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

Vulnerability Disclosure Policy

OSI Security takes security vulnerabilities seriously.

If you think you've found a vulnerability in our organisation, you may report it via the Contact page or send us an encrypted message. Please note that we are generally aware of issues as a consequence of providing an Internet business presence and may have chosen to accept them as negligible risk which does not require action on our part or are outside of our control.

If you think you have found a valid issue, we shall endeavour to acknowledge your report and respond promptly. We may provide a reward as we see fit which may include but not limited to:
  • Bug bounty payment
  • Beers
  • Job offer
  • Other goodies

​During the course of business, we often find new vulnerabilities in our client's networks and vendor products. As a consequence of being treated poorly in the past for reporting critical vulnerabilities, we do not adhere to any official disclosure standard.

Depending on the vulnerability type we may:
  • Report it to the vendor for resolution. Generally we provide ample time, which can be anywhere from days to years to fix.
  • Sometimes we publish vulnerability advisories. We aim to publish them after the vendor has provided a fix and give users enough time to patch (from days to several years to ensure the safety of the Internet). If communication attempts have been unsuccessful we may publish it as zero day exploit with no patch available after our clients have mitigation in place.
  • We do not publish advisories for the majority of issues we identify, unless a client requests us to do so (this includes both when a vendor has provided a silent patch, or we did not report it to the vendor at all).
  • If working with law enforcement or covert projects, we will not make a report provided it is being used lawfully.

If we have made a vulnerability report to you or your organisation, you should consider it a good sign that we are striving to help you secure your product and the Internet at large. We hope you treat us with respect and we shall afford you the same.
NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2025.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia