OCS Vulnerability Disclosure Policy
We take security, trust, and transparency seriously. OCS appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to OCS and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to OCS.
If you believe you have found a security vulnerability that could impact OCS or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow OCS’s Vulnerability Disclosure Policy and HackerOne’s Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
- Any web properties owned by ordercloudserver.com are in scope for the program.
- Customers of ordercloudserver.com, or non ordercloudserver.com sites in-front or behind our infrastructure are out of scope.
- Submissions that are specifically detailing a "best practice" are out of scope unless they are exploitable in mass.
EXAMPLE: Missing SPF records or other email misconfiguration is not a reportable issue unless you can demonstrate that this missing record or misconfiguration allows you to successfully do something with significant impact.
- Finally, If you are a customer and have a password or account issue, please contact OCS Hosting Service - support.
- For abuse issues or law enforcement inquiries, please contact our legal team.
ELIGIBILITY and DISCLOSURE
In order for your submission to be eligible:
- You must agree to our Vulnerability Disclosure Policy.
- You must be the first person to responsibly disclose an unknown issue.
- All legitimate reports will be reviewed and assessed by OCS Hosting Service security team to determine if it is eligible.
As mentioned in our Privacy and Security Policy, OCS Hosting Service website and services are not intended for, or designed to attract, individuals under the age of 18.
Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the legal age of of the country where they reside will not be eligible to receive OCS Hosting service rewards unless a verifiable letter from a legal custodian is submitted.
We will find another way to recognize your effort.
For each eligible vulnerability report, the reporter will receive:
- Recognition on our Hall of Fame.
- A limited edition OCS bug hunter t-shirt. OCS employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.
- 3 months of OCS Hosting FLEX hosting package is on us.
- Monetary compensation is not currently offered under this program.
The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.
- Physical attacks against OCS Hosting Service employees, offices, and data centers.
- Social engineering of OCS Hosting Service employees, contractors, vendors, or service providers.
- Knowingly posting, transmitting, uploading, linking to, or sending any malware.
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
- Any vulnerability obtained through the compromise of a OCS Hosting Service customer or employee accounts. If you need to test a vulnerability, please create a free account.
- Being an individual on, or residing in any country on, any U.S. sanctions lists.