OOOsec
Back to Home

Responsible Disclosure Policy

Last updated: February 15, 2026

OOOSEC is committed to maintaining the security of our platform and the programs hosted on it. We value the security research community and encourage responsible disclosure of vulnerabilities. This policy outlines the guidelines for security researchers and the terms under which we provide limited legal safe harbor.

Limited Safe Harbor

OOOSEC provides limited legal safe harbor for security researchers who:

  • Act in good faith and comply with this policy
  • Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
  • Report vulnerabilities promptly through proper channels
  • Do not exploit vulnerabilities for personal gain or malicious purposes
  • Allow reasonable time for remediation before any disclosure

Important: Safe harbor protection is conditional. Violations of this policy or engaging in prohibited activities will void safe harbor protections and may result in legal action.

Prohibited Activities

The following activities are strictly prohibited and will void any safe harbor protection:

  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Social engineering, phishing, or physical attacks against employees or users
  • Accessing, downloading, or exfiltrating user data beyond proof of concept
  • Modifying or deleting data belonging to other users
  • Automated scanning without rate limiting (max 1 request per second)
  • Testing against production systems without explicit authorization
  • Disclosing vulnerabilities publicly without approval
  • Selling or transferring vulnerability information to third parties
  • Using vulnerabilities to access systems beyond the initial proof of concept
  • Physical attacks against OOOSEC infrastructure or personnel

Publication & Disclosure

Approval Required Model

OOOSEC operates under an Approval Required disclosure model. This means:

  • You may publicly mention the severity level of a resolved vulnerability
  • Publishing reward amounts, program names, or technical details requires explicit written approval from OOOSEC and the affected program
  • Unauthorized disclosure may result in forfeiture of rewards and platform ban

How to Request Publication Approval

  1. 1Wait until the vulnerability has been fully remediated and verified
  2. 2Submit a publication request through the OOOSEC platform dashboard
  3. 3Include a draft of your intended publication for review
  4. 4Allow up to 14 days for review by OOOSEC and the program owner
  5. 5Receive written approval before publishing

Reporting Security Issues

For the OOOSEC Platform

To report security vulnerabilities in the OOOSEC platform itself:

Email: security@ooosec.com

Please include: vulnerability description, steps to reproduce, impact assessment, and any supporting evidence.

For Programs on OOOSEC

To report vulnerabilities in programs hosted on OOOSEC, submit your report through the program's submission form on our platform. Each program has its own scope, rules, and reward structure.

Policy Enforcement

Violations of this policy may result in:

  • Warning and temporary suspension of platform access
  • Forfeiture of pending rewards for the affected report
  • Permanent ban from the OOOSEC platform
  • Legal action for serious violations

Questions

If you have questions about this policy, contact us at security@ooosec.com.