Vulnerability Disclosure Program

At OX Security, the security and trust of our customers are our top priorities. We are committed to maintaining the highest standards of security across our systems and services. If you believe you’ve discovered a potential vulnerability in our platform, we want to hear from you.

We appreciate the efforts of security researchers and others in the security community who help improve our security posture through responsible disclosure.

Reporting a Vulnerability

If you discover a vulnerability, please report it to us via email at:
📧 security@ox.security

We ask that you:

• Provide detailed information about the vulnerability, including steps to reproduce it.

• Do not publicly disclose the issue until we’ve had a reasonable opportunity to address it and provided you with a written approval to do so.

• Avoid accessing, modifying, or deleting any data that does not belong to you.

• Comply with all applicable laws and regulations.

Our security team will investigate all legitimate reports and respond as quickly as possible. We may reach out for additional information if needed.

Scope

The following are considered in scope for this program:

• *.ox.security (all OX-owned domains and subdomains)

• OX Security Web Application

• OX API endpoints

• Authentication and session management

• Access control and privilege escalation issues

• Exposure of sensitive customer or system data

• Business logic vulnerabilities

• Third-party integrations as used within OX (only if leading to a security issue on our side)

Out of Scope

The following are considered out of scope and will not be eligible for investigation or acknowledgment:

• Social engineering, phishing, or physical attacks

• Denial of Service (DoS), Distributed DoS, or resource exhaustion attacks

• Spam or best-practice reports (e.g., missing SPF/DKIM, outdated libraries without a proven exploit)

• Vulnerabilities in third-party services not under OX’s control

• Clickjacking on non-sensitive pages

• Use of self-XSS

• Reports from automated tools or scanners without proof of exploitability

• Issues requiring a rooted or jailbroken device, or physical access to a device

• Lack of HTTP security headers (unless leading to a proven exploit)

Safe Harbor

We support responsible disclosure and are committed to working with researchers in good faith. We will not pursue legal action against individuals who:

• Report vulnerabilities in accordance with this policy

• Avoid privacy violations, destruction of data, or service disruption

• Provide us a reasonable time to address the issue before making any information public

Thank you for helping us keep OX Security and our users safe.