Responsible Disclosure
As a security research organization, we take the security of our own infrastructure seriously. If you've discovered a vulnerability in ODINT's systems, we want to hear about it. We commit to working with security researchers who report vulnerabilities responsibly.
Report a Vulnerability
For security-related issues with ODINT infrastructure:
contact@odint.orgPlease include "SECURITY" in the subject line
Scope
In Scope
- odint.io website and subdomains
- Our public-facing web applications
- API endpoints (when available)
- SecureDrop instance (when operational)
- Authentication and authorization issues
- Data exposure vulnerabilities
Out of Scope
- Social engineering attacks against our team
- Physical attacks against our infrastructure
- Denial of service attacks
- Third-party services we use (report to them directly)
- Issues requiring physical access
- Spam or phishing
What to Include
When reporting a vulnerability, please include:
- Description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Proof of concept (screenshots, videos, or code) if possible
- Your assessment of the severity
- Any suggestions for remediation
- Your contact information for follow-up (can be anonymous)
Our Commitment
When you report a vulnerability to us, we commit to:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Keep you informed of our progress
- Credit you in any public disclosure (if desired)
- Not take legal action against good-faith researchers
Important
Please do not publicly disclose vulnerabilities until we've had reasonable time to address them. We ask for a minimum of 90 days before public disclosure.
Safe Harbor
We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who:
- Act in good faith and avoid privacy violations
- Avoid disruption to our services
- Do not access or modify data belonging to others
- Report vulnerabilities promptly
- Give us reasonable time to remediate before disclosure
Note
This page is for reporting security issues with ODINT's own infrastructure. If you want to report exposed government infrastructure you've discovered, please visit our Submit a Tip page instead.