Vulnerability disclosure policy¶
If you believe you have found a security vulnerability in any Oiva surface, we ask that you tell us first and give us a reasonable opportunity to fix it.
How to report¶
Send your report to security@oiva.com.au using our published PGP key.
PGP key fingerprint: <!-- _generated/pgp-fingerprint.md -->
Our commitments¶
| Commitment | Timeline |
|---|---|
| Acknowledgement | Within 2 business days |
| Triage and severity classification | Within 5 business days |
| Resolution | Per CVSS severity — critical within 7 days, high within 30 days, medium within 90 days |
| Credit | We will credit you publicly where you wish |
Safe harbour¶
We will not pursue legal action against good-faith security researchers who act in line with this policy:
- Test only against accounts they own or have explicit permission to test.
- Do not access, modify, or exfiltrate data they are not authorised to access.
- Do not disrupt Oiva or Oiva customers.
- Do not publicly disclose the vulnerability before we agree it is appropriate.
We do not currently operate a bug-bounty programme.
This policy was reviewed on and will next be reviewed .