Responsible disclosure

Found a security issue? Tell us — and we'll thank you for it.

We run a responsible disclosure programme for security researchers. Acting in good faith, you'll have our cooperation, our acknowledgement, and credit on this page.

How to report

  1. 1

    Email security@opx.io with the issue, reproduction steps, and any supporting material.

  2. 2

    Allow us reasonable time. We aim to acknowledge within 24 hours and respond with an initial assessment within five business days.

  3. 3

    Don't disclose publicly until fixed. We aim to remediate critical issues within 14 days and other issues within 90 days.

Scope

In scope

  • opx.io
  • opxos.com
  • the production platform
  • our public APIs

Out of scope

  • third-party services we use (report to those providers directly)
  • social engineering of OpX staff
  • physical security
  • denial-of-service attacks

Safe harbour

Researchers acting in good faith, in compliance with this policy, will not face legal action from OpX. We will not pursue civil or criminal action, and we'll work with you on co-ordinated public disclosure once the issue is resolved.

Hall of fame

First credits coming soon

Report an issue

security@opx.io