We take security, trust, and transparency seriously. OCS appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to OCS and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to OCS.
If you believe you have found a security vulnerability that could impact OCS or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow OCS’s Vulnerability Disclosure Policy and HackerOne’s Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
EXAMPLE: Missing SPF records or other email misconfiguration is not a reportable issue unless you can demonstrate that this missing record or misconfiguration allows you to successfully do something with significant impact.
In order for your submission to be eligible:
As mentioned in our Privacy and Security Policy, OCS Hosting Service website and services are not intended for, or designed to attract, individuals under the age of 18.
Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the legal age of of the country where they reside will not be eligible to receive OCS Hosting service rewards unless a verifiable letter from a legal custodian is submitted.
We will find another way to recognize your effort.
For each eligible vulnerability report, the reporter will receive:
The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.