Skip to content
Use promo code: at checkout for 20% Off 🎉 with Optery’s Winter Sale! ❄️ ☃️
Sign In
Sign Up Free

Vulnerability Disclosure Policy

Last Reviewed: 02-04-2026

This Vulnerability Disclosure Policy (“Policy”) describes how third-party security researchers must conduct security research activities and responsibly report potential security vulnerabilities.

This Policy is incorporated by reference into the Optery Terms of Service located at https://www.optery.com/terms-of-service/.

By submitting a vulnerability, you agree to comply with this Policy.

1. Purpose

Optery is committed to protecting customer data, maintaining service availability, and preserving user trust.

We encourage responsible disclosure of security vulnerabilities discovered in Optery systems, provided research is conducted in accordance with this Policy and applicable law.

2. Scope

2.1 In-Scope Services 

This Policy applies exclusively to the following Optery-owned and operated services (the “In-Scope Services”):

  • Primary Domain: optery.com and its Optery-managed subdomains (e.g., app.optery.com, ops.optery.com, business.optery.com). 
  • Web Applications: Official Optery public-facing web applications where Optery has direct administrative control over the underlying code and infrastructure.
  • Application Programming Interfaces (APIs): Publicly documented Optery APIs (e.g., api.optery.com).
  • Mobile Applications: Official Optery-branded mobile applications distributed via the Apple App Store or Google Play Store. 

Note: The presence of an Optery logo or branding on a website or service does not inherently place that asset in-scope if it is hosted or managed by a third party.

2.2 Out of Scope Systems and Assets

Any other system, application, or asset not explicitly listed under “In-Scope Services” is strictly  out of scope. This includes, but is not limited to:

  • Third-party Services: Any service, integration, or infrastructure hosted, owned of operated by third parties (e.g., AWS, Hubspot, Crisp, Stripe), even if branded as Optery or linked from Optery’s websites, applications, or services.
  • Non-Production Environments: Staging, testing, or development environments, unless otherwise specifically authorized by Optery in writing.
  • Customer Data & Environments: Exploitation of customer-specific data or environments beyond a basic “Proof o Concept” (PoC) using a researcher-owned account.
  • Internal Infrastructure: Internal employee systems, corporate networks, physical office locations, and non-public-facing assets.

2.3 Ineligible Participants

This Policy and the Safe Harbor do not apply to:

  • Current or former employees, contractors, or vendors of Optery; or
  • Individuals who are located in, or residents of, countries on the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctions list. 

2.4 Authorization Requirement

If you are unsure whether a system is an In-Scope Service, you must contact Optery at vulnerability-disclosure@optery.com and receive express written confirmation before beginning any testing. Testing unauthorized systems or assets is a violation of this Policy and may void Safe Harbor provisions.

3. Researcher Responsibilities

To maintain protection under this Policy and the associated Safe Harbor, security researchers must act in good faith and strictly adhere to the following obligations:

  • Policy Compliance: Comply with all terms of this Policy and applicable laws. Any deviation from this Policy nullifies all Safe Harbor protections.
  • Non-Destructive Testing: Security researchers must ensure that all testing is non-destructive and does not  harm or otherwise adversely impact Optery’s users, data, or system availability.
  • Authorized Accounts Only: Conduct research using only accounts you personally own or have permission to use for testing purposes. You are strictly prohibited from accessing, attempting to access, or modifying data belonging to any Optery customer or user.
  • Data Minimization & Cessation of Testing. You must stop testing immediately upon the discovery of sensitive data, including, but not limited to, PII, PHI, financial account information, or credentials. You may perform a PoC to demonstrate the vulnerability, but you must not attempt to exfiltrate, view, or modify data beyond what is strictly necessary to prove the flaw’s existence.
  • Purge Requirement: Upon submission of your report, you must securely and permanently delete all copies of sensitive data and Optery proprietary information obtained in connection with your research and certify such deletion in writing to Optery upon request.
  • Cooperation: You must provide requested clarifications, logs, or reproduction steps within forty-eight (48) hours of a request from Optery to ensure timely remediation.
  • Confidentiality & Non-Disclosure: You must keep all vulnerability details strictly confidential. You are prohibited from disclosing any vulnerability to any third party or to the public without prior, express written authorization from Optery.

4. Prohibited Activities

Engagement in any of the following activities constitutes a material breach of this Policy and immediately and automatically voice any Safe Harbor or authorization granted herein:

  • Denial-of-Service or traffic flooding attacks, or any other resource-exhaustion attacks that degrade the performance of Optery services.
  • Brute-force authentication or credential stuffing attempts. Rate limiting must be respected at all times.
  • Accessing, viewing, modifying, deleting, or exfiltrating data not belonging to your specifically authorized test account. This includes “exploratory” browsing of sensitive directories or database records.
  • Establishing persistent access (e.g., planting web shells or backdoors), pivoting to internal networks, or any form of lateral movement within Optery infrastructure.
  • Social engineering, phishing Optery personnel, customers or partners, and physical security testing of any Optery offices or data centers where applicable.
  • Testing third-party vendors, SaaS providers, or customer-owned environments that interact with Optery.
  • Violating any local, state, federal, or international law, regulation, treaty, or agreement, including but not limited to the Computer Fraud and Abuse Act (CFAA) and the California Consumer Privacy Act (CCPA).

Note: Violations of these restrictions may result in immediate disqualification from protection under this Policy and any affiliated Safe Harbor, potential placement on a block list for future reporting, and the reservation of all legal and equitable rights and remedies by Optery.

5. Reporting a Vulnerability

Vulnerabilities must be reported exclusively through Optery’s official channels:

  • Email: vulnerability-disclosure@optery.com

For highly sensitive issues, you may request a live discussion via the email above.

5.1 Required Information

Reports must be encrypted if they contain sensitive data (e.g., PII or credentials). You may also provide the following:

  • Affected asset or endpoint
  • Vulnerability description
  • Impact assessment
  • Step-by-step reproduction instructions
  • Proof of concept, if available

Secure File Handling: Do not host PoC materials, including screenshots or videos, on public sites (e.g., GitHub, YouTube). If files exceed size limits, use a secure service and share credentials separately. This channel is not for support requests, sales inquiries, or general security questions.

Note: Optery reserves the right to disregard non-actionable reports, including reports of “theoretical risk” or automated scanner reports without human validation.

6. What Optery Will Do

If a report complies with the requirements of this Policy, Optery will acknowledge receipt within 5 business days and take appropriate action with respect to investigations, communication, and remediation. While Optery may provide recognition or non-monetary rewards for exceptional findings, Optery does not operate a financial bug bounty program. Any attempt to withhold vulnerability details to negotiate a particular reward or compensation before disclosure will be treated as extortion and result in the immediate revocation of Safe Harbor protections.

7. Confidentiality & Disclosure

All reports are subject to a strict confidentiality embargo and used only for defensive purposes. You may not disclose any vulnerability details to any third party or to the public without Optery’s prior, express written authorization. Optery may grant or withhold such authorization at its sole discretion.

If your security research is conducted in strict accordance with this Policy:

8.1 Authorization

Optery considers security research conducted in strict accordance with this Policy to be “Authorized Access” under the Computer Fraud and Abuse Act (CFAA) and relevant state anti-hacking laws.

8.2 Waiver

Optery waives any claims under the Digital Millenium Copyright Act (DMCA) for circumvention of technological measures used to protect the In-Scope Services, provided that such research is non-destructive.

8.3 Third-Party Claims

If your research is conducted in strict compliance with this Policy, Optery will not initiate or support legal action against you. However, this Policy does not (and cannot) protect you from legal action taken by third parties such as vendors or hosting providers whose systems you may have impacted.  

9. Questions

If you have questions about this Policy or proposed research, contact:

Optery Vulnerability Disclosure Team
vulnerability-disclosure@optery.com 

Ready to safeguard your personal data?

Join the movement of people strengthening their privacy
Sign Up Free