Bug Bounty Program
Ostorlab recognises that no technology is perfect. Therefore, Ostorlab works with skilled security researchers across the globe to identify weaknesses in its technology.
If you believe you've found a security issue in any of Ostorlab's products or services, please notify us. Ostorlab will work with you to resolve the issue promptly.
To show its appreciation of responsible security researchers, Ostorlab offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at Ostorlab's discretion.
At this time, Ostorlab's Bug Bounty program is not public, but security researchers interested in participating can request an invitation by getting in touch.
When submitting a potential security vulnerability, please provide a detailed description of the issue and steps to reproduce it. Screenshots, videos, or other forms of proof of concept are greatly appreciated. Please do not use automated vulnerability scanning tools without prior approval, and do not attempt to access or disrupt any data or systems without express consent.
Ostorlab also asks that security researchers do not disclose the vulnerability to any third parties until it has been resolved and a bounty has been paid. In addition, please do not publicly disclose the vulnerability until Ostorlab has had sufficient time to address it.
We thank you in advance for your help in keeping our technology secure. Together, we can ensure that Ostorlab's products and services remain safe and reliable for everyone.
- Ostorlab may not reply or reward all security vulnerabilities find, and the severity and impact may differ from the researcher’s perception.
- Only original findings are eligible, duplicate vulnerabilities are not rewarded.
- Any non-compliance with this policy will result in disqualification from the program.
You ARE eligible to participate in the program if you meet and agree to be bound by all of the following:
- You are at least 18 years of age. However, if you are considered a minor in your place of residence, permission by your parent(s) or legal guardian(s) is required before participating in this program.
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this program.
- You agree (i) to preserve as confidential all information received from Ostorlab including, but not exclusively, all information concerning or relating to this bug bounty program (for example-Ostorlab systems architecture, business plans, etc.) and any other information and materials normally and reasonably considered confidential (“Confidential Information”), (ii) to protect Confidential Information against any unauthorized use or disclosure, and (iii) to use Confidential Information solely for the purposes for which it is provided to you.
- You represent and warrant that your submission is your own work, that you have not used information owned by another person or entity, and that you have the legal right to provide the submission to Ostorlab.
- You acknowledge that Ostorlab, at no additional cost, shall own all works created or developed by you in connection with or as a result of your participation in Ostorlab’s bug bounty program.
- You acknowledge that you are not guaranteed any compensation or credit for your submission.
You ARE NOT eligible to participate in the program if you meet any of the following criteria:
- You are under the age of 18;
- You are a resident of any countries under U.S. sanctions (https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx) or any other country that does not allow participation in bug bounty programs;
- You are a public sector employee;
- Your participation in this program will violate your employer’s policies;
- You are currently an employee of Ostorlab or an Ostorlab entity, or an immediate family (parent, sibling, spouse, or child) of such an employee;
- You were previously an employee of Ostorlab;
YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK.
LIMITATION OF LIABILITY TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS OTHERWISE PROVIDED HEREIN, IN NO EVENT SHALL Ostorlab, ITS AFFILIATES OR THEIR EMPLOYEES, CONTRACTORS, AGENTS, OFFICERS OR DIRECTORS BE LIABLE TO YOU OR THE ENTITY THROUGH WHICH YOU ARE PARTICIPATING IN Ostorlab’S BUG BOUNTY PROGRAM FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR BUSINESS INTERRUPTION, LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES ARISING OUT OF OR RELATING TO THIS PROGRAM. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES IN CONNECTION WITH THE PROGRAM (INCLUDING BREACH OF THESE TERMS), YOU AGREE THAT YOUR EXCLUSIVE REMEDY IS TO RECOVER, FROM Ostorlab OR ANY AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS DIRECT DAMAGES UP TO BUT NOT IN EXCESS OF $100.00 (USD). THE EXCLUSIONS AND LIMITATIONS IN THIS SECTION APPLY WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR ANY OTHER BASIS, EVEN IF THE NON-BREACHING PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.