Responsible Disclosure Policy

Last updated: April 21, 2026

Our Commitment

OuterSec is committed to the security of our platform and the protection of our customers' data. We take all security concerns seriously and appreciate the work of security researchers who help us maintain high security standards.

If you believe you've found a security vulnerability in OuterSec, we encourage you to report it to us responsibly. We will work with you to investigate and resolve the issue promptly.

How to Report a Vulnerability

Send vulnerability reports to our dedicated security team:

security@outersec.com

What to Include in Your Report

To help us triage and resolve issues quickly, please include:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • The URL(s), endpoint(s), or system component(s) affected
  • Any proof-of-concept code, screenshots, or videos
  • Your assessment of severity (Critical / High / Medium / Low)
  • Your contact information so we can follow up

Our Response Commitments

24 hours
Initial acknowledgment of your report
72 hours
Preliminary assessment and severity classification
7 days
Detailed response and remediation timeline
30-90 days
Target remediation (depending on severity)

Scope

In Scope

  • • outersec.com and subdomains
  • • OuterSec web application
  • • OuterSec API endpoints
  • • Authentication and authorization
  • • Data exposure vulnerabilities

Out of Scope

  • • Denial of service attacks
  • • Social engineering / phishing
  • • Third-party services we use
  • • Physical security attacks
  • • Testing on other customers' accounts

Safe Harbor

We will not pursue legal action against security researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts they own or have explicit permission to test
  • Report vulnerabilities promptly and do not exploit them beyond what's necessary to demonstrate the issue
  • Do not publicly disclose the vulnerability before we've had a reasonable opportunity to fix it

We ask that you give us at least 90 days to resolve critical vulnerabilities before public disclosure.

Bug Bounty

OuterSec currently operates a confidential bug bounty program. Rewards are provided at our discretion based on the severity and quality of the report. Critical and high-severity vulnerabilities in core systems may qualify for monetary recognition. Contact security@outersec.com for details.

Contact

For security vulnerability reports: security@outersec.com

For general security questions: support@outersec.com