Bug Bounty Program

At Ocoya, we are committed to maintaining the highest security standards for our systems and protecting the data of our users. Our Bug Bounty Program is designed to collaborate with security researchers (referred to as "Researchers") to identify and responsibly disclose vulnerabilities. This program serves as an opportunity for researchers to contribute to our cybersecurity efforts while being recognized for their valuable findings.

We invite Researchers to submit their discoveries promptly. All submissions must adhere to the terms and conditions outlined below. By participating in the Ocoya Bug Bounty Program, you agree to abide by these terms.

Let’s work together to make Ocoya’s platform even more secure for everyone!

TERMS AND CONDITIONS
‍Researchers must comply with the following rules:
- Prohibited Activities:
   - Do not execute or attempt to execute any “Denial of Service” (DoS) or Distributed Denial of Service (DDoS) attacks.
   - Do not distribute, upload, or store malicious software using Ocoya systems.
   - Avoid sending unsolicited emails, spam, or unauthorized messages.
   - Do not engage in testing methods that disrupt Ocoya services or operations.
   - Social engineering techniques are strictly prohibited.
   - Do not test or interact with third-party applications, websites, or services that are not owned or operated by Ocoya.
- Automated Scans:
   - Automated vulnerability scans must be rate-limited to a maximum of 5 requests per second.
- Data Handling:
   - Do not disclose any sensitive information uncovered during testing to the public or third parties without Ocoya’s explicit consent.
   - Erase all data obtained during your analysis once the vulnerability report is submitted.

‍SCOPE
In Scope:
‍Domains: *.ocoya.com

‍Accepted Vulnerabilities Include (but are not limited to):
- Injection vulnerabilities (e.g., SQLi, XSS, XXE, OS command injection).
- Broken authentication or session management.
- Remote code execution.
- Insecure direct object references.
- Sensitive data exposure.Security misconfigurations.
- Missing function-level access control.Use of components with known vulnerabilities.
- Directory traversal.
- Exposed credentials.

‍Out of Scope:
- Vulnerabilities requiring outdated or unsupported browsers or platforms.
- Issues without a clearly identified security impact (e.g., missing security headers, descriptive error messages).
- Vulnerabilities in third-party applications or content not owned by Ocoya.
- Self-XSS (that cannot be used to exploit others).
- DoS/DDoS attacks, spam, or phishing reports.

REWARDS
‍‍Ocoya recognizes the effort and expertise required to identify vulnerabilities. Rewards will be determined based on the severity, impact, and quality of the submitted report. All rewards are issued at Ocoya's sole discretion.

RESPONSE PROCESS
‍Ocoya will acknowledge your submission and keep you informed throughout the investigation process. An internal team will assess the vulnerability, and rewards (if applicable) will be determined on a case-by-case basis.

LEGAL AND CONFIDENTIALITY
‍By participating in the Bug Bounty Program, you confirm:
- That you are the original author of the report and grant Ocoya full rights to use, reproduce, and adapt your submission.
- You will not use Ocoya’s name, logo, or branding for personal or promotional purposes without prior consent.
- You will not disclose your findings publicly without explicit permission from Ocoya.

SUBMIT A BUG
‍To report a vulnerability or bug, please email your findings to support@ocoya.com.
Note Attachments must be in PDF format.

Thank you for your dedication and contributions to Ocoya’s security!