Skip to content

Security: joshwayne/omnivore

Security

SECURITY.md

Security Policy

Keeping user information safe and secure is a top priority, and we welcome the contribution of external security researchers.

Scope

Omnivore runs a number of services but only submissions under the following domains are eligible for rewards. Any Omnivore-owned domains not listed below are not in scope, not eligible for rewards, and not covered by our legal safe harbor.

  • omnivore.app
  • demo.omnivore.app

Domains that are out of scope:

  • docs.omnivore.app
  • blog.omnivore.app
  • changes.omnivore.app

The following vulnerability categories are outside of the scope of our responsible disclosure program, and aren't eligible for bounty:

  • Denial of Service (DoS), or its distributed version (DDoS)
  • User / email enumeration
  • Brute forcing
  • Spamming that can be prevented by rate limiting techniques
  • Vulnerabilities that involve a high number of user interactions, such as social engineering
  • CSRF on forms publicly available
  • Missing SPF / DKIM / DMARC entries
  • Redirection from HTTP to HTTPS
  • UI / UX bugs or grammar/spelling mistakes
  • Outdated web browsers – vulnerabilities contingent on outdated or unmatched browsers will not be compensated

How to Submit a Report

To submit a vulnerability report to Omnivore Media, please contact us at [email protected]. Your submission will be reviewed and validated by a member of our security team.

Safe Harbor

Omnivore Media supports safe harbor for security researchers who:

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Only interact with accounts you own or with explicit permission of the account holder. If you do encounter Personally Identifiable Information (PII) contact us immediately, do not proceed with access, and immediately purge any local information.
  • Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party.

We will consider activities conducted consistent with this policy to constitute "authorized" conduct and will not pursue civil action or initiate a complaint to law enforcement. We will help to the extent we can if legal action is initiated by a third party against you.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Preferences

  • Please provide detailed reports with reproducible steps and a clearly defined impact.
  • Submit one vulnerability per report.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

There aren’t any published security advisories