Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
When working with us according to this policy, you can expect us to:
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
When conducting vulnerability research according to this policy, we consider this research to be:
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channel (see below) before going any further.
The scope of this policy covers:
Explicitly not in the scope of this policy are third party services such as our payment processors unzer.com and paypal.com.
We, Objective Development, are a CVE Numbering Authority (CNA) for the scope of our own products and services as outlined under "Scope" above. This means that all information about vulnerabilities of these products and services must be directed to our Official Channel (see below).
If we acknowledge the issue you report as a vulnerability, we assign a CVE number. The number and associated data is kept secret until either (a) the issue is fixed and customers have been given time to upgrade, or (b) the issue has become public.
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@obdev.at. Please include the following details with your report:
If you’d like to encrypt the information, please use our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFyvY0YBEADWiHTLI8vBsxFtykbthd9Pq5owFaveRE8YFgOLzti/XQd4LtzV
Yogj3bpxEuG9OcJRLjiMH7s/OvXgVsXgixSvOb+fHtVbkYQB8zSaUA8ebsXdOlWy
JlHpgrWlLMRIEzGrRo9aT6rv8IyY1reXPQhYmRIvpS56hrOES7u6p43gPqAHMKGn
Ne1hA86qQ3mYVyYJeAqVPsY0kDGwQR/v0bObvVGqnJ3rFK1gKII0mwuoEbc0ofTX
zPX8iXFaqqlehMB3NBm97oDpmuHvfP4654hqOyNknnhuaSefknLbGJdPS/y63M/7
dIId0FAVtYHswyg6OpKMS8GfJbJk1ZxBvNhvR2Rz7K977ge2/DiVfAXrbm0JqfJ8
fNiguI6cnMt8joJhHTZwUm7hgjluPQtigY8sHmZLkdTDycQwM2sBDA1CBIz44pJt
0Gl+7cONd/HdCPiVWm2DV32pZEjj1trgrNG78ieGKwXn1Bs/WD4NYaYz12xPX9Dx
Tdba1nxi1BgQDdm8SIIFNG8BwdT98UiSpcBIZEwMfAe89B2pXBfgDDeNG/T9l6vw
cUV9kXgzhq0JVdcMAyweUFFqWdS6h5+GJp1V2UaAlv/MYTsbcKFjR5+3DtEWlRZ5
Sn42/F7uiZRS3r5QxXSIr3nCqszaixZnptHNaO+CT3b1/EgHokyYIqeqoQARAQAB
tCtWdWxuZXJhYmlsaXR5IFJlcG9ydGluZyA8c2VjdXJpdHlAb2JkZXYuYXQ+iQJU
BBMBCgA+FiEEDF2qW96iRZ7qS88ODQTAyxg3grEFAlyvY0YCGwMFCQlopIAFCwkI
BwMFFQoJCAsFFgIDAQACHgECF4AACgkQDQTAyxg3grGSog//Y2tdA7TNdci40AOc
wW8loeTo2LFdUbxlfH934CqkIYNXtJgUttEWS9bFVUbXTNypRNssAdqOWb0GgsUG
j9OzI3jw2Z+SDmkwygjmxWB9/SsRNuG6Qt8ZB80Pec2UgCFhnHKZQ0cPNWZBW/03
LhbTJQ/g3c6vTWKmnrOx184h2EkiPz2+TZsLNsf9dkrkOwEUxgAFNIhrQ+gwbUTr
PECoFy2KHVr6Hf78zLrU6J7Tlp/PnBmsxDdTcrCJfd0X5ZZ7iGH1i2h7e0SreJSE
Jqf9AEGVPUxUmqfsnDM+N6IXlJdh2ncr7t6oYPrDXnwsvQ+oh/rmw2wmnkLLDXiv
bM4ILltuWFlYRIVSjVrDAB0noebPNbQb/2yr4W8OYd0K0vOaHY7o7Ek69IttxUke
dC1YkKW/56gCwioJ6xqYaBQexY+i0Jr25bMCwkICJUVz5REXjsUBWHy52CBcRtwO
+vtaT95pmnK/oRShIapUInDuNFqyBz8x6Etsh8HfoM14d1is2K8tfP5v8ZjpDXPa
RZ/v7xTVRIHgDlpSdjJeedjTnsOWlJE69DOXCZYf6U0ELGCd+qk/feombQzLC3Im
j9ad80ePpK2VoimDU9Tl99/S9ZGdcCS+K5ke5vTiZXhIJOG9NvDLrm+evx5MyC3S
XE9pUMuHnDWgNPmbyv9lRWLha1K5Ag0EXK9jRgEQALh6TciZik5bPvYHMQnr4EYd
7cGBypLlFGlD010+kvrWXAFlRZYGmz9e8JHUVDMkI+Baqssblrj2X78PHCYdFwsK
ETDfSTWof2pwWW9sVHzcF63z/caMi0aRij2zzsvmurCJ245JuaR207OToE7q4pr6
9QOb53JGsH82AcuNHZ6Z+j1ZRBmSlOREXG+8zxZfk1x4ifJo2fAxZTLFfEon4bA3
s1TKwy8pqG2yCAjt7IxUSsvvbpROThLiyamRgIsm+GKCk4d5FINe1AQRoLWlVhb+
3LitjAXmeh7GkWzeegF+Ho2kupOz79GrYnc/rLdDcbEX+V5hb/Q+2iSxsAzpYQzm
78JAzN3J+j8OrL9XcPSAoeAg92krMoCEtDIpeLRUkHP14r2eeFolObuDxeGrAv4s
57u4JIFT286U/jD0w7wTzWgq52w5/xFuMr3t3zuLvh1D/0IMPJfNLmI3PgCIxi3I
fyYEkiVxQA+4XmCBNeFUgF7/yB6N3kKWXsIodv/3rhopfbM2Nt7fYrZxUE60c6ZM
CDpcBaRxT2KP/y/a9avsCdFtR+vxualEcr55h0QOe1QfBhqbNxbwubZt/yJsAtlC
H+YwBQTxdOWZMRYMhehRuC6Vh2c0yWVpipaZ7XmVaMq2rYc0hOJRNW3pELg5wEE0
1VctCvMKGSKuUN9KGZMVABEBAAGJAjwEGAEKACYWIQQMXapb3qJFnupLzw4NBMDL
GDeCsQUCXK9jRgIbDAUJCWikgAAKCRANBMDLGDeCsbz4D/9Tvr1PGK7ZvyzodtXB
8i1TnIBKj131V5O0faHNzsZ1F7nPpVGKv0/+9Hu7ngtKOgqH/lBKG10BXzPDaXFq
2iU9ffIerigLGFKG0UBUnx1nzlUeVVgHxCrGQmh461Foj7eb/NKm89CVHtcHtwNg
yIlwvAMZWub6SWTLdOvjlbCDQia1MwvmZGedQ03ZcSRIByWM+iM6RAKrSe8uiVdN
XvQxyeIUtEJj+/Csl1GXNRotVnicitIS9pm+mK5AxXwq7zpAgxrTsacyo/ESLbLP
EyHGJtivQ2OeTiDqH9vgPkbDCHJOXt700K3cPRiwFUXhGqGcSfCBlnrekuRMDEpd
NmtPux9SvRX6Tpsk7GepKJQAqOKukHwe+drZqiHu2Xa8C/yShYPzB7rkD3uTDo0X
5aH/n/y2FtZAYrw9yDiICI5kX7MMfy7mZiCXWLKXCuSiy1YspoI4f0IFhE7S2rGB
6rOFjUjy4JUskGqalfoLb4bxo+/Yuj2ZxiB2qV/xZD9nHyRPAw0R2ODTz/AXZ0BH
Vb7BRxlEvPuUx28gxsKUpYZpBxqP16jv7ISlvwaW/brIsdW/yMV2x7tI7iPAmvXH
8fZIQfbQ4X1kuISFLEe8Q31dPCa2BKFXkJYh8xYwHDwwGq9pYF+7WvdHyIfPycID
+Ec/y1/367phT5RGKKyH9k+tLg==
=nCbs
-----END PGP PUBLIC KEY BLOCK-----
This Vulnerability Disclosure Policy is based in part on documents provided by disclose.io and Bugcrowd.