Onbe Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Introduction

Onbe is committed to maintaining the security of our web applications, APIs, and the data they process. We recognize that security researchers and members of the community play an important role in identifying potential vulnerabilities that may affect our systems.

This Vulnerability Disclosure Policy provides guidance for anyone who discovers a security vulnerability in our systems and wishes to report it responsibly. We appreciate the efforts of those who help us maintain a secure environment for our users and customers.

Scope

This policy applies to the following systems and services operated by our organization.

In Scope

  • Web applications hosted on our domains
  • Public-facing APIs and API endpoints
  • Authentication and authorization mechanisms
  • Data handling and storage systems associated with our services

If you are uncertain whether a system or service falls within the scope of this policy, please contact us before conducting any testing.

Out of Scope

The following are explicitly not authorized under this policy:

  • Third-party services, applications, or websites that integrate with our services
  • Systems or services operated by our customers or partners
  • Services hosted by third-party providers (unless explicitly listed as in scope)
  • Any systems not directly owned and operated by our organization

If you are uncertain whether a system or service falls within the out-of-scope category, please contact us before conducting any testing.

Guidelines for Security Research

We ask that security researchers act in good faith and follow the guidelines below when conducting vulnerability discovery activities.

Authorized Activities

  • Testing conducted solely to identify and document security vulnerabilities
  • Use of only your own test accounts and test data
  • Reasonable efforts to avoid privacy violations, service degradation, and data destruction
  • Immediate cessation of testing if sensitive data or systems are accessed
  • Prompt reporting of the vulnerability after discovery

Prohibited Activities

The following activities are not permitted:

  • Accessing or modifying data that does not belong to you
  • Disrupting or degrading services, systems, or networks
  • Executing denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Conducting social engineering (including phishing or vishing)
  • Performing physical security testing of facilities or data centers
  • Introducing malicious code, malware, or ransomware
  • Exfiltrating, downloading, or retaining data beyond what is necessary to demonstrate the vulnerability
  • Disclosing sensitive personal or financial information to any party other than Onbe
  • Destroying, corrupting, or rendering systems or data inaccessible
  • Escalating privileges or pivoting to other systems beyond what is required for validation
  • Using automated scanning tools that generate excessive traffic or load
  • Publicly disclosing vulnerabilities before Onbe has had reasonable time to address them

How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please report it using the following channel:

Email: security@onbe.com

We recommend using PGP encryption when reporting vulnerabilities involving sensitive information. Our PGP key is available at:
https://www.onbe.com/.well-known/security.txt

What to Include in Your Report

Please include the following information to help us investigate efficiently:

  • Description of the vulnerability and why it matters
  • Location of the issue (URL, API endpoint, or system)
  • Step-by-step instructions to reproduce the issue
  • Proof of concept, such as code snippets or screenshots
  • Assessment of potential impact
  • Your contact information (or note if you wish to remain anonymous)
  • Date and time the vulnerability was discovered

Reports with clear reproduction steps and proof of concept allow for faster validation and resolution.

Our Commitment to You

When vulnerabilities are reported in accordance with this policy, we commit to the following.

Acknowledgment and Communication

  • Acknowledge receipt of reports within five business days
  • Provide updates on investigation and remediation status
  • Respond to reasonable follow-up questions

Good Faith Protection

  • Work collaboratively to validate reported vulnerabilities
  • Refrain from legal action against researchers acting in accordance with this policy
  • Treat compliant research activities as authorized

Information Handling

  • Handle reports confidentially
  • Share information internally on a need-to-know basis only
  • Not disclose researcher identity without permission unless required by law

Disclosure and Coordination

To allow sufficient time for remediation, we ask that you:

  • Allow up to 90 days from initial reporting for investigation and resolution
  • Coordinate with Onbe prior to any public disclosure
  • Avoid sharing vulnerability details until remediation or a mutually agreed disclosure timeline is reached

If early disclosure is necessary due to active exploitation, please coordinate with us so we can take appropriate protective measures.

We will make reasonable efforts to:

  • Provide status updates during remediation
  • Notify you when the issue has been resolved
  • Coordinate public disclosure if desired

Legal Considerations

This policy aligns with common vulnerability disclosure standards and applicable law. By participating, you agree to:

  • Comply with all relevant local, state, national, and international laws
  • Act in good faith and avoid actions that could harm systems, users, or funds movement

If you follow this policy, we consider your activities authorized access under the Computer Fraud and Abuse Act and will not initiate legal action related to compliant vulnerability disclosure activities.

This policy applies only to systems owned and operated by Onbe. Third-party systems are subject to their own policies.

Out-of-Scope Findings

The following findings are generally not actionable:

  • Automated scanner reports without proof of exploitability
  • Issues requiring physical access
  • Social engineering vulnerabilities
  • Denial-of-service issues
  • Issues affecting unsupported or outdated platforms
  • Descriptive error messages without security impact
  • Missing security headers without exploit proof
  • Self-exploitation issues (such as self-XSS)
  • Clickjacking on non-sensitive pages
  • Email authentication configuration issues (SPF, DKIM, DMARC)
  • TLS or SSL configurations with reasonable alternatives
  • Rate-limiting or brute-force issues without real-world exploit evidence
  • Publicly known and already-remediated issues

Changes to This Policy

This policy may be updated periodically to reflect system, legal, or industry changes. The current version is available at:

https://www.onbe.com/policy/vulnerability-disclosure-policy

Contact Information

For security-related inquiries or vulnerability reports, contact security@onbe.com.
For non-security inquiries, please use standard support channels.

security.txt

Marketing's Discretion