Vulnerability Disclosure Program
Updated Dec 2, 2024
At Ocoya, we deeply value the cybersecurity community's role in safeguarding the integrity of our systems and protecting our users' data. Our Vulnerability Disclosure Program (VDP) is a testament to this commitment, serving as an additional layer of security for our solutions and infrastructure. We invite individuals, developers, and experts (referred to as "Researchers") to participate in this initiative by identifying and responsibly disclosing vulnerabilities before they can be exploited maliciously.
We encourage Researchers to report any vulnerabilities they discover in Ocoya's ecosystem promptly. Submission of reports is governed by the terms and conditions outlined below. By submitting a vulnerability report to Ocoya, you acknowledge that you have read and accepted these terms.Let’s work together to maintain a secure and trustworthy digital ecosystem for everyone!
TERMS AND CONDITIONS
Researchers must comply with the following rules:
- Prohibited Activities:
- Do not execute or attempt to execute any “Denial of Service” (DoS) or Distributed Denial of Service (DDoS) attacks.
- Do not distribute, upload, or store malicious software using Ocoya systems.
- Avoid sending unsolicited emails, spam, or unauthorized messages.
- Do not engage in testing methods that disrupt Ocoya services or operations.
- Social engineering techniques are strictly prohibited.
- Do not test or interact with third-party applications, websites, or services that are not owned or operated by Ocoya.
- Automated Scans:
- Automated vulnerability scans must be rate-limited to a maximum of 5 requests per second.
- Data Handling:
- Do not disclose any sensitive information uncovered during testing to the public or third parties without Ocoya’s explicit consent.
- Erase all data obtained during your analysis once the vulnerability report is submitted.
SCOPE
In Scope:
- Domains: *.ocoya.com
Accepted Vulnerabilities Include (but are not limited to):
- Injection vulnerabilities (e.g., SQLi, XSS, XXE, OS command injection).
- Broken authentication or session management.Remote code execution.
- Insecure direct object references.Sensitive data exposure.
- Security misconfigurations.
- Missing function-level access control.Use of components with known vulnerabilities.
- Directory traversal.
- Exposed credentials.
Out of Scope:
- Vulnerabilities requiring outdated or unsupported browsers or platforms.
- Issues without a clearly identified security impact (e.g., missing security headers, descriptive error messages).
- Vulnerabilities in third-party applications or content not owned by Ocoya.
- Self-XSS (that cannot be used to exploit others).
- DoS/DDoS attacks, spam, or phishing reports.
RESPONSE PROCESS
Ocoya will keep you informed throughout the investigation process. Vulnerability reports will be reviewed by our internal team, and any rewards (if applicable) will be determined on a case-by-case basis at Ocoya's sole discretion.
LEGAL AND CONFIDENTIALITY
By submitting a vulnerability report, you confirm:
- That you are the original author of the report and grant Ocoya full rights to use, reproduce, and adapt your submission.
- You will not use Ocoya’s name, logo, or branding for personal or promotional purposes without prior consent.
- You will not disclose your findings publicly without explicit permission from Ocoya.
REPORT VULNERABILITIES
To report a vulnerability, please email your findings to support@ocoya.com.
Note: Attachments must be in PDF format.
Thank you for partnering with us to enhance Ocoya’s security and safeguard our users!