Vulnerability Disclosure Policy
OSI Security takes security vulnerabilities seriously.
If you think you've found a vulnerability in our organisation, you may report it via the Contact page or send us an encrypted message. Please note that we are generally aware of issues as a consequence of providing an Internet business presence and may have chosen to accept them as negligible risk which does not require action on our part or are outside of our control.
If you think you have found a valid issue, we shall endeavour to acknowledge your report and respond promptly. We may provide a reward as we see fit which may include but not limited to:
During the course of business, we often find new vulnerabilities in our client's networks and vendor products. As a consequence of being treated poorly in the past for reporting critical vulnerabilities, we do not adhere to any official disclosure standard.
Depending on the vulnerability type we may:
If we have made a vulnerability report to you or your organisation, you should consider it a good sign that we are striving to help you secure your product and the Internet at large. We hope you treat us with respect and we shall afford you the same.
If you think you've found a vulnerability in our organisation, you may report it via the Contact page or send us an encrypted message. Please note that we are generally aware of issues as a consequence of providing an Internet business presence and may have chosen to accept them as negligible risk which does not require action on our part or are outside of our control.
If you think you have found a valid issue, we shall endeavour to acknowledge your report and respond promptly. We may provide a reward as we see fit which may include but not limited to:
- Bug bounty payment
- Beers
- Job offer
- Other goodies
During the course of business, we often find new vulnerabilities in our client's networks and vendor products. As a consequence of being treated poorly in the past for reporting critical vulnerabilities, we do not adhere to any official disclosure standard.
Depending on the vulnerability type we may:
- Report it to the vendor for resolution. Generally we provide ample time, which can be anywhere from days to years to fix.
- Sometimes we publish vulnerability advisories. We aim to publish them after the vendor has provided a fix and give users enough time to patch (from days to several years to ensure the safety of the Internet). If communication attempts have been unsuccessful we may publish it as zero day exploit with no patch available after our clients have mitigation in place.
- We do not publish advisories for the majority of issues we identify, unless a client requests us to do so (this includes both when a vendor has provided a silent patch, or we did not report it to the vendor at all).
- If working with law enforcement or covert projects, we will not make a report provided it is being used lawfully.
If we have made a vulnerability report to you or your organisation, you should consider it a good sign that we are striving to help you secure your product and the Internet at large. We hope you treat us with respect and we shall afford you the same.