Responsible Disclosure

At Obvane Group, we strongly understand the importance of a responsible disclosure and bug bounty program.

Security research drives progress, and ethical hackers help us make our products stronger.

This policy exists to make sure that collaboration between security researchers and Obvane Group remains professional, productive, and mutually respectful.

Safe Harbor

Obvane Group will not pursue legal action or prosecution against white-hat researchers who act in good faith and within the bounds of this policy.

Researchers are expected to:

• Avoid violating privacy or unnecessarily accessing personal data

• Avoid disrupting, degrading, or harming our services

• Report vulnerabilities privately and promptly to our security team at security@obvane.com

If you follow this policy, you are authorized to conduct research on our assets without fear of legal retaliation. Additionally, Obvane Group can offer legally binding Safe Harbor contracts between us and researchers that have proven themselves.

Rules of Engagement

1. No disruptive testing.

   Denial-of-service, stress, or spam attacks are not permitted, If you accidentally impact availability or stability, please own it and contact security@obvane.com immediately

   
   

2. PoC or GTFO.

   We only review reports that include a clear, reproducible proof-of-concept.

   
   

3. No skids, no beg bounty hunters.

   Submissions must demonstrate technical understanding and meaningful security impact. No copy pasted CLI output, No AI generated reports and definitely no "Critical" SPF bugs

   
   

4. Zero-tolerance abuse policy.

   Any abusive, disrespectful, or extortionate behavior toward our team will result in us going out of our way to ensure that you never get paid in security again.

   
   

Scope and Expectations

We are ONLY interested in High and Critical vulnerabilities, Anything owned by Obvane Group should be considered in scope.

Typical in-scope categories include:

• Authentication or authorization bypasses

• Access control or IDOR vulnerabilities

• Injection or remote code execution flaws

• Significant data exposure or privilege escalation

  
  

  
  

Out-of-scope:

• Clickjacking, rate-limit bypasses (Without Impact), speculative findings

• Missing headers, theoretical risks, or automated scanner output without validation

Reporting & Conduct

We value professionalism, precision, and proof.

When submitting a report, include:

• Affected endpoint(s) or asset(s)

• Impact summary and severity

• Step-by-step reproduction

• Working proof-of-concept (video, payload, or demo link)

• Suggested mitigation or fix

Send all reports to security@obvane.com using the subject line:

[OBVANE-SEC] <vulnerability title>

Our team will acknowledge the report within 3 days and the report will be triaged in line with HackerOne standards.

We respect skilled, ethical researchers who act in good faith.

We do not reward noise, intimidation, or low-effort submissions.

Play fair. Show skill. Help us raise the bar.

This policy should be considered open source and we encourage organizations to share our approach to responsible disclosure.

Cale Anderson

Founder / Hacker

https://obvane.com/