Security Policy Disclosure
At Open Raven we fully support the security community and appreciate the work done by independent researchers to help make and keep data secure
To help ensure that we have enough information to properly evaluate a potential issue, please include the following information in your report
- A description of the issue explaining the vulnerability, including the impact to the user or service
- The product feature, component, or service resource that is impacted, including any relevant URLs
- A proof-of-concept or functional method that consistently demonstrates the issue or provide logs that can show impact of successful exploitation
- Describe any specific circumstances, configurations, or conditions required to exploit the issue
What to Expect
Once we receive your report, we will stay in touch with you to provide updates on our investigation and status of a fix for verified issues. During this time we might also request additional information.
Issues in Scope
Please note, potential vulnerabilities that do not by themselves expose a service or application to attack, are not considered valid issues. For example, injecting or the lack of an HTML tag does not necessarily mean an application is vulnerable to cross-site scripting, and injecting a single backtick (`) does not necessarily mean it is vulnerable to SQL injection.Reports of issues indicating that our services do not fully align with "best practice" e.g., missing security headers (CSP, x-frame-options, x-prevent-xss etc) or email related configuration (SPF, DMARC etc) without a real meaningful impact are not considered valid.
Open Raven does not have a paid bug bounty program. To show appreciation for the security researcher’s time and efforts, upon request we do offer a special token of our appreciation for confirmed qualifying vulnerabilities.