Vulnerability Disclosure Policy

Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

Expectations

When working with us according to this policy, you can expect us to:

• Extend Safe Harbor (see below) for your vulnerability research that is related to this policy;
• Work with you to understand and validate your report, including a timely initial response to the submission (usually within one business day);
• Work to remediate discovered vulnerabilities in a timely manner; and
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Ground Rules

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:

• Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
• Use only the Official Channel (see below) to discuss vulnerability information with us;
• Keep the details of any discovered vulnerabilities confidential until we've had at least 90 days to resolve the issue or until they are fixed;
• Perform testing only on systems in the Scope of this policy (see below), and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII) or proprietary information;
• Do not engage in extortion.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar national or state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from national implementations of the WIPO Copyright Treaty (such as the Digital Millennium Copyright Act in the US), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channel (see below) before going any further.

Scope

The scope of this policy covers:

• Our web site and other Internet resources in the domain obdev.at;
• All software which can be downloaded from servers in the domain obdev.at

Explicitly not in the scope of this policy are third party services such as our payment processors mPAY24.com and paypal.com.

CVE Numbers

We, Objective Development, are a CVE Numbering Authority (CNA) for the scope of our own products and services as outlined under "Scope" above. This means that all information about vulnerabilities of these products and services must be directed to our Official Channel (see below).

If we acknowledge the issue you report as a vulnerability, we assign a CVE number. The number and associated data is kept secret until either (a) the issue is fixed and customers have been given time to upgrade, or (b) the issue has become public.

Official Channel

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@obdev.at. Please include the following details with your report:

• Description of the location and potential impact of the vulnerability;
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
• Your name/handle and a link for recognition in release notes.

If you’d like to encrypt the information, please use our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFyvY0YBEADWiHTLI8vBsxFtykbthd9Pq5owFaveRE8YFgOLzti/XQd4LtzV
Yogj3bpxEuG9OcJRLjiMH7s/OvXgVsXgixSvOb+fHtVbkYQB8zSaUA8ebsXdOlWy
JlHpgrWlLMRIEzGrRo9aT6rv8IyY1reXPQhYmRIvpS56hrOES7u6p43gPqAHMKGn
Ne1hA86qQ3mYVyYJeAqVPsY0kDGwQR/v0bObvVGqnJ3rFK1gKII0mwuoEbc0ofTX
zPX8iXFaqqlehMB3NBm97oDpmuHvfP4654hqOyNknnhuaSefknLbGJdPS/y63M/7
dIId0FAVtYHswyg6OpKMS8GfJbJk1ZxBvNhvR2Rz7K977ge2/DiVfAXrbm0JqfJ8
fNiguI6cnMt8joJhHTZwUm7hgjluPQtigY8sHmZLkdTDycQwM2sBDA1CBIz44pJt
0Gl+7cONd/HdCPiVWm2DV32pZEjj1trgrNG78ieGKwXn1Bs/WD4NYaYz12xPX9Dx
Tdba1nxi1BgQDdm8SIIFNG8BwdT98UiSpcBIZEwMfAe89B2pXBfgDDeNG/T9l6vw
cUV9kXgzhq0JVdcMAyweUFFqWdS6h5+GJp1V2UaAlv/MYTsbcKFjR5+3DtEWlRZ5
Sn42/F7uiZRS3r5QxXSIr3nCqszaixZnptHNaO+CT3b1/EgHokyYIqeqoQARAQAB
tCtWdWxuZXJhYmlsaXR5IFJlcG9ydGluZyA8c2VjdXJpdHlAb2JkZXYuYXQ+iQJU
BBMBCgA+FiEEDF2qW96iRZ7qS88ODQTAyxg3grEFAlyvY0YCGwMFCQlopIAFCwkI
BwMFFQoJCAsFFgIDAQACHgECF4AACgkQDQTAyxg3grGSog//Y2tdA7TNdci40AOc
wW8loeTo2LFdUbxlfH934CqkIYNXtJgUttEWS9bFVUbXTNypRNssAdqOWb0GgsUG
j9OzI3jw2Z+SDmkwygjmxWB9/SsRNuG6Qt8ZB80Pec2UgCFhnHKZQ0cPNWZBW/03
LhbTJQ/g3c6vTWKmnrOx184h2EkiPz2+TZsLNsf9dkrkOwEUxgAFNIhrQ+gwbUTr
PECoFy2KHVr6Hf78zLrU6J7Tlp/PnBmsxDdTcrCJfd0X5ZZ7iGH1i2h7e0SreJSE
Jqf9AEGVPUxUmqfsnDM+N6IXlJdh2ncr7t6oYPrDXnwsvQ+oh/rmw2wmnkLLDXiv
bM4ILltuWFlYRIVSjVrDAB0noebPNbQb/2yr4W8OYd0K0vOaHY7o7Ek69IttxUke
dC1YkKW/56gCwioJ6xqYaBQexY+i0Jr25bMCwkICJUVz5REXjsUBWHy52CBcRtwO
+vtaT95pmnK/oRShIapUInDuNFqyBz8x6Etsh8HfoM14d1is2K8tfP5v8ZjpDXPa
RZ/v7xTVRIHgDlpSdjJeedjTnsOWlJE69DOXCZYf6U0ELGCd+qk/feombQzLC3Im
j9ad80ePpK2VoimDU9Tl99/S9ZGdcCS+K5ke5vTiZXhIJOG9NvDLrm+evx5MyC3S
XE9pUMuHnDWgNPmbyv9lRWLha1K5Ag0EXK9jRgEQALh6TciZik5bPvYHMQnr4EYd
7cGBypLlFGlD010+kvrWXAFlRZYGmz9e8JHUVDMkI+Baqssblrj2X78PHCYdFwsK
ETDfSTWof2pwWW9sVHzcF63z/caMi0aRij2zzsvmurCJ245JuaR207OToE7q4pr6
9QOb53JGsH82AcuNHZ6Z+j1ZRBmSlOREXG+8zxZfk1x4ifJo2fAxZTLFfEon4bA3
s1TKwy8pqG2yCAjt7IxUSsvvbpROThLiyamRgIsm+GKCk4d5FINe1AQRoLWlVhb+
3LitjAXmeh7GkWzeegF+Ho2kupOz79GrYnc/rLdDcbEX+V5hb/Q+2iSxsAzpYQzm
78JAzN3J+j8OrL9XcPSAoeAg92krMoCEtDIpeLRUkHP14r2eeFolObuDxeGrAv4s
57u4JIFT286U/jD0w7wTzWgq52w5/xFuMr3t3zuLvh1D/0IMPJfNLmI3PgCIxi3I
fyYEkiVxQA+4XmCBNeFUgF7/yB6N3kKWXsIodv/3rhopfbM2Nt7fYrZxUE60c6ZM
CDpcBaRxT2KP/y/a9avsCdFtR+vxualEcr55h0QOe1QfBhqbNxbwubZt/yJsAtlC
H+YwBQTxdOWZMRYMhehRuC6Vh2c0yWVpipaZ7XmVaMq2rYc0hOJRNW3pELg5wEE0
1VctCvMKGSKuUN9KGZMVABEBAAGJAjwEGAEKACYWIQQMXapb3qJFnupLzw4NBMDL
GDeCsQUCXK9jRgIbDAUJCWikgAAKCRANBMDLGDeCsbz4D/9Tvr1PGK7ZvyzodtXB
8i1TnIBKj131V5O0faHNzsZ1F7nPpVGKv0/+9Hu7ngtKOgqH/lBKG10BXzPDaXFq
2iU9ffIerigLGFKG0UBUnx1nzlUeVVgHxCrGQmh461Foj7eb/NKm89CVHtcHtwNg
yIlwvAMZWub6SWTLdOvjlbCDQia1MwvmZGedQ03ZcSRIByWM+iM6RAKrSe8uiVdN
XvQxyeIUtEJj+/Csl1GXNRotVnicitIS9pm+mK5AxXwq7zpAgxrTsacyo/ESLbLP
EyHGJtivQ2OeTiDqH9vgPkbDCHJOXt700K3cPRiwFUXhGqGcSfCBlnrekuRMDEpd
NmtPux9SvRX6Tpsk7GepKJQAqOKukHwe+drZqiHu2Xa8C/yShYPzB7rkD3uTDo0X
5aH/n/y2FtZAYrw9yDiICI5kX7MMfy7mZiCXWLKXCuSiy1YspoI4f0IFhE7S2rGB
6rOFjUjy4JUskGqalfoLb4bxo+/Yuj2ZxiB2qV/xZD9nHyRPAw0R2ODTz/AXZ0BH
Vb7BRxlEvPuUx28gxsKUpYZpBxqP16jv7ISlvwaW/brIsdW/yMV2x7tI7iPAmvXH
8fZIQfbQ4X1kuISFLEe8Q31dPCa2BKFXkJYh8xYwHDwwGq9pYF+7WvdHyIfPycID
+Ec/y1/367phT5RGKKyH9k+tLg==
=nCbs
-----END PGP PUBLIC KEY BLOCK-----

Acknowledgements

This Vulnerability Disclosure Policy is based in part on documents provided by disclose.io and Bugcrowd.