Vulnerability Disclosure Program (VDP)

Updated: June 23, 2025

About this program

Ontic Technologies, Inc., (“Ontic”) is committed to protecting our websites, applications, clients, and our clients’ data.  As part of our overall security strategy, Ontic welcomes the contributions of external security researchers who discover vulnerabilities in our websites and applications, helping us to enhance our security posture. Despite our best efforts to secure our websites and applications, we acknowledge that unknown vulnerabilities are always a risk.

We welcome engagement from the security community and are grateful to anyone sharing their findings with us to make our system more secure.   Our vulnerability disclosure program allows you to responsibly report any potential issues or vulnerabilities to Ontic.

If you think you have identified an issue or vulnerability in one of our websites, please report it to us as quickly as possible.

Note: This program is not a bug bounty program.  Security Researchers who identify and report significant vulnerabilities that can be verified will be recognized on this webpage, but not compensated.

 

Rules of engagement

The Ontic Vulnerability Program does not authorise Security Researchers to conduct full penetration testing against our websites and applications.

Researchers must act in good faith, testing only systems they have permission to access, but not intentionally or negligently causing damage or disruption.

To participate in this program, you must follow these rules:

  • If you think you have identified a vulnerability, stop and report it to Ontic. Do not attempt to exploit the vulnerability.
  • Vulnerabilities must not be disclosed publicly or to any other party.
  • You must not leverage deceptive techniques, such as social engineering against Ontic employees or our clients.
  • You must not introduce malicious software that could impact our services, products, clients, or any third party.
  • You must not engage in unlawful or unethical behavior
  • You must not modify, destroy, exfiltrate, or retain data
  • You must not test against any Ontic client environment
  • You must not submit false, misleading,g or dangerous information
  • You must not access or attempt to access accounts or data that does not belong to you.
  • You must not engage in any testing that could be considered a Denial of Service (DoS) attack.

 

Program scope

In scope: Any product or service owned by Ontic Technologies to which you have lawful access.

  • ontic.co
  • ontictechnologies.com
  • onticsummit.co
  • onticsummit.com
  • *.ontic-tech.com (Login screens and public facing content only)
  • *.ontic.ai (Login screens and public facing content only)
  • Ontic Technologies Mobile application:
    • Protective Intelligence (Android)
    • Protective Intelligence (iOS)

Out of scope: The following low-risk vulnerabilities will not be accepted and should not be reported.

  • HTTP header-related vulnerabilities
  • Logical bugs that represent no immediate or exploitable security risk.
  • Generic best practice concerns without demonstrable exploitation.
  • Spam or social engineering methods.
  • Password complexity-related concerns.
  • Denial of Service attacks/weaknesses.
  • Mobile application crashes that don’t lead to a security escalation issue or abuse.
  • Vulnerabilities requiring jailbroken devices or physical access to an unlocked device to exploit.
  • Any other vulnerability that would be considered as Low, using the Common Vulnerability Scoring System (CVSS V3 Score of 3.9 or lower).

 

How to report a vulnerability

To report a potential security vulnerability, please email vulnerabilitydisclosure@ontic.co, providing as much information as possible, including:

  • Your contact details
  • Whether or not you want to be publicly acknowledged on this site
  • Explanation of the potential security vulnerability
  • Listing the products and services that may be affected
  • Steps to reproduce the vulnerability
  • Proof-of-concept code (where applicable)
  • Any other evidence (Screenshots, videos, …)

Properly submitted vulnerability reports will be acknowledged within 3-5 business days.  Validation and recognition could take up to 30 days.

 

Recognition

To receive recognition for a reported vulnerability:

  • The researcher must agree and abide by all of the rules, terms, and conditions set in this document
  • The researcher must not be an Ontic employee or have been employed by Ontic within the past year
  • The researcher must be the first person to report the issue
  • Ontic must be able to verify that the vulnerability is legitimate and is a material risk

Recognition will include the option of being recognized on this site, a certificate of appreciation, and an Ontic challenge coin.

 

Safe harbor

To encourage security research and responsible disclosure of security-related vulnerabilities, Ontic Technologies states that it will not pursue civil or criminal action nor send notice to law enforcement forces for accidental violations of Ontic Technologies’ Vulnerability Disclosure Rules of Engagement (VDRE).

You shall comply with all applicable laws and not disrupt, distribute, publish, or compromise any data, infrastructure, or business continuity beyond that described in the VDRE policy.

If you submit a report through our VDRE program that affects a third-party service, Ontic will limit the shared information with any affected third-party. Ontic may share non-identifying content from a researcer’s report with an affected third-party, only after notifying the researcher(s) our intention to submit the content, and after getting the third-party’s written commitment that they will not pursue legal action against researchers or initiate contact with law enforcement based on either our report or the researchers’. Ontic will not share your identifying information with any affected third party without first getting your written permission to do so, in compliance with applicable laws.

In the case a legal action is initiated by a third-party, including law enforcement, against researcher(s) based on their participation in this VDRE and researcher(s) have sufficiently complied with this policy (as determined by Ontic), Ontic will take steps to acknowledge the compliance of a researcher’s actions within this policy. While Ontic considers submitted reports both confidential and potentially privileged documents (and therefore protected from compelled disclosure), note that a court could order Ontic to share information with a third party.

Ontic does not authorize out-of-scope testing on behalf of third parties, and such testing is beyond the scope of this policy. Ontic forbids the research of third-party products, services, infrastructure, etc., performed through the unlawful and non-compliant use of any of Ontic’s products, services, or infrastructure. Moreover, Ontic forbids using any authentication artifacts (included but not limited to passwords, API tokens and credentials) that are found, leaked, or obtained as a result of any research performed targeting Ontic’s products, services, infrastructure and any other asset owned by Ontic, to perform security and vulnerability research on the affected third-party.