Vulnerability Disclosure Policy

Introduction

Optimos International is committed to protecting the security of our users by safeguarding their information. This Vulnerability Disclosure Policy (VDP) provides clear guidelines for security researchers conducting vulnerability discovery activities on our public-facing systems and services. We encourage researchers to report potential vulnerabilities in good faith, and we will work collaboratively to address them promptly.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research authorized. Optimos International will not recommend or pursue legal action related to your research. Should a third party initiate legal action against you for activities conducted in accordance with this policy, we will make this authorization known.

Scope

This policy applies to the following internet-accessible systems and services:

  • *.optimosinternational.com (all subdomains unless explicitly excluded)
  • Public-facing websites and APIs published with a link to this policy

Out of Scope:

  • Non-Optimos International systems, including vendor systems (report vulnerabilities to the vendor per their disclosure policy)
  • Non-public-facing or non-internet-accessible systems
  • Third-party services not explicitly listed
  • Denial of Service (DoS/DDoS) testing, physical testing, or social engineering (e.g., phishing)

If unsure whether a system is in scope, contact us at support@optimosinternational.com before conducting research.

Guidelines for Researchers

Under this policy, “research” means activities where you:

  • Notify us as soon as possible after discovering a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, or destruction/manipulation of data.
  • Use exploits only to confirm a vulnerability’s presence, not to compromise or exfiltrate data, establish persistent access, or pivot to other systems.
  • Stop testing immediately upon encountering sensitive data (e.g., personally identifiable information, financial data, or proprietary information) and notify us without disclosing the data.
  • Refrain from submitting high volumes of low-quality reports.

Reporting a Vulnerability

  • Submit reports via email to support@optimosinternational.com 
  • If you provide contact information, we will acknowledge receipt within 3 business days.
  • Include:
    • A detailed description of the vulnerability, including its location and potential impact.
    • Steps to reproduce the vulnerability (proof-of-concept scripts or screenshots are helpful).
  • Information submitted will be used for defensive purposes only, to mitigate or remediate vulnerabilities.

Disclosure Timeline

We are committed to patching vulnerabilities within 90 calendar days or less. To minimize risk, we request that researchers:

  • Refrain from publicly disclosing vulnerabilities for 90 days after we acknowledge receipt of your report.
  • Coordinate with us at support@optimosinternational.com if you believe others should be informed before a patch is available.
  • After remediation, we may coordinate a joint advisory or allow self-disclosure by the researcher.

If a vulnerability affects users beyond Optimos International, we may share your report with the Cybersecurity and Infrastructure Security Agency (CISA) for coordinated disclosure, without sharing your personal information unless explicitly permitted.

Prohibited Actions

  • Conducting tests that impair system access or damage data (e.g., DoS/DDoS).
  • Engaging in physical testing, social engineering, or non-technical attacks.
  • Disclosing vulnerabilities publicly before the agreed timeline or without coordination.
  • Demanding payment before revealing vulnerability details.

Contact

For questions about this policy or scope clarification, email support@optimosinternational.com. If you cannot reach us or receive no response, contact CISA at https://www.cisa.gov/vulnerability-disclosure.

Legal Notice

Security researchers must comply with all applicable federal, state, and local laws. Activities inconsistent with this policy may result in legal consequences. This policy does not authorize research on third-party systems or services.