Vulnerability disclosure
If you find a security issue affecting Oxaide, please let us know. We review legitimate reports in good faith and work with researchers to validate and address them.
Disclosure Policy
If you believe you have found a security vulnerability in Oxaide, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
We ask that you:
- Provide us a reasonable amount of time to fix the issue before publishing it.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Do not modify or access data that does not belong to you.
Scope
In Scope
- • *.oxaide.com
- • app.oxaide.com
- • api.oxaide.com
- • oxaide.com marketing site
Out of Scope
- • Social engineering (phishing, vishing)
- • Denial of Service (DoS) attacks
- • Physical attacks against offices/datacenters
- • Third-party applications
Safe Harbor & Rewards
Oxaide will not pursue legal action against researchers who report vulnerabilities in accordance with this policy.
Note: We currently do not offer monetary bug bounties. Researchers who report valid, significant vulnerabilities will receive written acknowledgement upon request.
Response Timeline
Secure Communication
If you need to send sensitive information, please contact us first to arrange a secure transmission method.
Scope first
Defined review scope
Boundary, telemetry window, and mandate question are pinned down before conclusions move.
Encrypted handling
Protected review workflow
Review traffic and operating data are handled with encrypted transfer and controlled access.
Customer boundary
Customer-controlled deployment
Managed, private, and isolated deployment paths are available when the environment requires them.
Direct accountability
Principal sign-off
Technical accountability stays close to the method rather than disappearing into a generic workflow.