Responsible Disclosure Policy

Thank you for your interest and efforts in helping make our system better. We are excited to work with you and we are pleased to offer a range of rewards for qualified vulnerabilities discovered and reported. Optoro will offer rewards at our discretion and all reward decisions will be final with respect to who is rewarded, how much is rewarded, and if any reward will be provided at all. Any vulnerabilities discovered in good faith and within the terms of our program will not result in legal action. 

Here is an overview of when and how we offer rewards 

  • One reward per vulnerability, only the first verifiable report of the vulnerability will be eligible for a reward. 
  • If multiple vulnerabilities are the result of the same root cause, this will be classified as a single vulnerability and will only be eligible for one reward. 
  • Optoro reserves the right to determine when and how a reward, if any, will be distributed for all vulnerabilities discovered. Reward amounts typically vary between $25 and $500 depending on the severity of the vulnerability discovered. Please note that rewards are in US dollars and will be subject to relevant exchange rates. 
  • The vulnerability must be one of which Optoro was previously not aware.
  • The vulnerability must be significant. Optoro reserves the right to determine whether the vulnerability qualifies as “significant.” 
  • Going public with any vulnerability discovery without the express consent of Optoro will rescind eligibility for a reward. 
  • We reserve the right to withhold a reward if we believe you have acted in a way that has violated the law or endangered the security of Optoro or Optoro’s users. 

Rewards 

Our rewards are based on the severity of a vulnerability. Optoro uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of Optoro. Issues may receive a lower severity due to the presence of compensating controls and context. 

The amounts shown in the table should be considered the MAXIMUM amounts for each severity level, though bonuses may be given at Optoro’s discretion. 

SeverityAmount (in USD)
Critical$500
High$250
Medium$100
Low$25
Biz Accepted Risk or Informational$0

 

What we expect from you

  • Use the User-Agent header “optorordp_researcher_firstname_lastname” while testing. Failure to use this header will make you ineligible for a reward. Automated tools should be configured to use this header as well.
  • Automated tools can be used, but must be configured to send no more than 1 (one) request per second to any particular device, and must use the User-Agent header as above.
  • Provide details of the vulnerability finding, including information needed to reproduce and validate the report. 
  • Avoid privacy violations and disruptions to others, including unauthorized access to, or destruction of data. 
  • Only interact with accounts that are your own, or with the explicit permission from the account holder. If you do encounter user information that you do not have permission to access, stop immediately and report the access to infosec@optoro.com. Do not use, save, copy, store, transfer or otherwise retain any such information. 
  • Give us reasonable time to investigate, confirm and mitigate an issue you report to us before making public any information about any vulnerabilities discovered.
  • Give us reasonable time to investigate, confirm and mitigate an issue you report to us before making public any information about any vulnerabilities discovered.
  • Act in good faith in discovery of vulnerabilities, do not use vulnerabilities for purposes other than your own investigation. 
  • Secure your own systems as tightly as possible. 
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others. 

Services and Products in Scope 

Bounty eligible findings are limited to the following production web applications and mobile apps: 

  • BULQ.com 
  • Optiturn.com 
  • Optoro.com 
  • Optoro.io 

What you are not allowed to do 

Using any of these methods will disqualify you from earning a reward: 

  • “Self” XSS; 
  • HTTP Host Header XSS without working proof-of-concept; 
  • Incomplete/Missing SPF/DKIM; 
  • Social Engineering, Denial of Service, Brute Force, or Phishing attacks;
  • Alter the system in any way, alter or delete information in the system, or install backdoors. If you need to copy information for your investigation, do not copy more than one record. Backdoors cannot be installed, even to demonstrate vulnerabilities in a system. 

What you can expect from us 

  • We will respond as quickly as possible to an initial vulnerability report and will update you once we have remediated the issue. Some issues will take longer to address, and we may need the vulnerability to remain non-public for a longer time to ensure that our security team has an adequate amount of time to address the vulnerability. 

How to report 

  • Fill out Optoro’s vulnerability report form. Alternatively, you may send an email to bugbounty@optoro.com with a brief description of the vulnerability discovered and any relevant information needed for us to investigate and reproduce the vulnerability, such as target and tools used. In your email, you must include your name and address (including your country of residence) to be eligible for any potential reward, and you will have to sign Optoro’s responsible disclosure confidentiality and terms agreement to receive any payment. 
  • Reports that are incomplete or unclear will not be considered. 
  • By reporting a vulnerability, you are agreeing that you will never disclose functioning exploit code for the applicable vulnerability to any other entity or person, unless Optoro makes that code generally publicly available or you are required by law to disclose it.
  • You are not eligible if:
    • You are the author of the code that has been infected with the bug or were otherwise involved in its integration into Optoro.
    • You created or assisted in the creation of the bug you are reporting.
    • You are a current employee or contractor of Optoro or its affiliates.
    • You reside in a country that is under any current U.S. sanctions.
  • You are eligible if:
    • You are either an individual researcher participating in your own individual capacity or you work for an organization that permits you to participate.
    • You have executed Optoro’s responsible disclosure confidentiality and terms agreement.
    • You provide your real name and contact information.