Oro Bug Bounty Program
We recognize how important it is to help protect your privacy and security. As a software company, we have a vested interest in maintaining the trust you place in us and our products, but also a deep desire to see the Internet remain as safe as possible for everyone. So, needless to say, we take security issues very seriously.
Bug Bounty Program
Oro maintains a bug bounty program which means that we recognize and reward researchers who report security issues and vulnerabilities for our websites and products. To be eligible for a bounty reward, researcher needs meet the following requirements:
- Older than 18 yrs. old.
- Not a resident of a US-embargoed country.
- Adhere to our Responsible Disclosure policy (see below).
- A reported issue must be newly discovered.
- Issues report must include a detailed description and instruction for how to reproduce the vulnerability.
Vulnerabilities which are not eligible for bounty program:
- Recently disclosed 0-day vulnerabilities
- A researcher uses brute force, DDOS attack or social engineering.
- A researcher uses a discovered vulnerability to alter Oro’s website content, spoof any of Oro’s proprietary digital assets, or get access to the confidential Oro data.
- Vulnerabilities that only affect legacy or unsupported OS and/or browsers.
The amount of the bounty reward depends on the severity of the reported vulnerability.
Find a Major Security Issue with Oro’s Websites or Products?
If you believe you have discovered a vulnerability or have a security incident to report, please email us at [email protected].
Please provide in your email the original source of the issue and provide the exact version and product name if you are reporting issues affecting an Oro Product. Possible choices are:
Any Oro Inc. Website
Oro Products:
When properly notified of a legitimate issue, we will do our best to acknowledge your report, assign resources to investigate the issue and fix the potential problems as quickly as possible.
Responsible Disclosure
Responsible disclosure is an industry best practice, and we recommend this procedure for anyone researching security vulnerabilities. It allows individuals to notify companies of any security threats before going public with the information. This gives software vendors like us a chance to resolve the problem before the criminally-minded become aware of it.
We will not disclose security issues with our websites unless personal data has been breached.