Responsible Disclosure

Security is core to who we are. We believe coordinated disclosure makes everyone safer, and we are committed to working with researchers who identify and report vulnerabilities in our systems in good faith.

This policy sets out how to report a vulnerability to OCIC Research, what is in and out of scope, the protections we extend to good-faith researchers, and the process we follow once a report is received.

This policy applies to internet-facing systems, services, and applications operated by OCIC Research, including our primary domains and their subdomains.

If you are unsure whether a target is in scope, ask us before testing. Assets owned by third parties, even if they integrate with our Services, are not covered by this policy and may be governed by the third party’s own program.

We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. We consider such activity to be authorized.

• You make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
• You only access the minimum data necessary to demonstrate the issue.
• You do not exploit the issue beyond what is needed to prove it exists.
• You give us a reasonable opportunity to remediate before any public disclosure.

If legal action is initiated by a third party against you for activity conducted in accordance with this policy, we will make this authorization known. This safe harbor does not apply to activity that violates the law or the constraints below.

Send your report to disclosure@ocic.io. We support encrypted communication and ask that you do not disclose the issue publicly until we have had an opportunity to investigate and remediate.

Please submit one report per vulnerability and provide enough detail for us to reproduce and triage the issue quickly.

• A clear description of the vulnerability and its potential impact.
• The affected asset, URL, or endpoint.
• Step-by-step instructions to reproduce, including any proof-of-concept.
• Relevant logs, request/response samples, or screenshots.
• Your assessment of severity and any suggested remediation.

We aim to handle every report promptly and to keep you informed throughout. Our target timelines are:

• Acknowledgement of your report within 3 business days.
• Initial triage and severity assessment within 10 business days.
• Regular status updates until the issue is resolved.
• Coordinated public disclosure, where appropriate, after remediation.

The following are generally not eligible under this policy and should not be tested:

• Denial-of-service (DoS/DDoS) and volumetric or brute-force testing.
• Social engineering, phishing, or physical attacks against staff or facilities.
• Reports from automated scanners without a demonstrated, exploitable impact.
• Missing best-practice headers or configuration with no proven security impact.
• Vulnerabilities affecting unsupported browsers or third-party services we do not control.

We are grateful to researchers who help keep our platform secure. With your permission, we are happy to acknowledge valid, original reports publicly once an issue has been resolved.

OCIC Research does not currently operate a paid bug bounty program. Recognition is offered as thanks, not as monetary compensation.

This policy does not authorize activity that is inconsistent with applicable law. You are responsible for complying with all laws applicable to you, and for not accessing or affecting accounts or data that do not belong to you beyond what is strictly necessary to demonstrate a vulnerability.

We may update this policy at any time; the applicable version is the one published here at the time of your testing.

Security reports: disclosure@ocic.io. General security enquiries: security@ocic.io. A machine-readable version of our contact details is published at /.well-known/security.txt.