We take the security of our systems and client projects seriously. This page describes how to report vulnerabilities responsibly.
Scope
Reports should concern ostordev.com and explicitly authorized test environments. Do not access customer data without written permission from the data owner.
How to report
Email security@ostordev.com with a clear description, reproduction steps, and impact assessment. Encrypt sensitive details if your mail client supports it.
Safe harbor
We will not pursue legal action against researchers who follow this process in good faith: no degradation of service, no exfiltration beyond minimal proof, and reasonable coordination timelines.
Client projects
For vulnerabilities in applications we operate on behalf of clients, include the client name if known so we route to the correct incident channel.
Recognition
With your consent, we may credit researchers in a hall of thanks. Commercial bounty programs, when active, will be published separately.
Law enforcement
We cooperate with lawful requests while protecting user privacy to the extent permitted by law. Narrow requests are preferred.
Non-security inquiries? Use the general contact form