Openly Security Disclosure
Openly appreciates feedback from security researchers to help improve and maintain the confidentiality, security, integrity and availability of Openly systems and information.
If you believe you have discovered a vulnerability, privacy issue, or other security concern in any of our assets, we want to hear from you. Below are the steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
How to Report Security Issues
If you believe you have discovered a security concern, please let us know by emailing security@openly.com, which ensures your report will go directly to our security incident responders. The more detail you provide, the easier it will be for us to triage and fix the issue. If your findings are particularly sensitive in nature, please reach out first with a high-level summary, and we will provide instructions on next steps.
What to Include in Your Report
- Date and time of initial discovery
- Summary of the problem, including the type of issue (injection, XSS, RCE, etc.)
- Proof-of-concept or all relevant information (headers, parameters, sample code) used to demonstrate the concern
Reports We Are Not Interested In
- Same site scripting
- Self-XSS
- Clickjacking
- Social engineering attacks
- Attacks requiring physical access
What We Expect from Researchers
In participating in our vulnerability disclosure program in good faith, we ask that you:
- Promptly report any vulnerabilities you discover
- Avoid violating the privacy of others (redact sensitive information as necessary)
- Do not disrupt our systems, destroy data, or harm our user experience—If you encounter any user data during testing, please limit the amount of data you access to a minimum for demonstration of proof of concept, and submit a report
- Do not perform capacity tests, denial of services, or distributed denial of service attacks
- Do not attempt to phish, spam, or social engineer any customers or employees of Openly
What to Expect from Openly
Openly will respond to your report promptly and will work with you to understand and validate your report. We strive to keep you informed of our progress as we analyze, verify, and remediate the concern within our operational constraints.
Last Updated November 15, 2022