Bug Bounty

TL;DR

Any OMR services available from the Internet and any software developed by OMR is in scope. We consider activities conducted consistent with this policy to constitute “authorized” conduct. Publicly disclosing your bug without coordinating with us may lead to being ineligible for a bounty.

Policy

Keeping user data safe is a top priority for us. We strive to be as transparent as possible when it comes to our security efforts in order to help you stay informed and aware of when you may need to take action.

Rewards

If you’re able to help us protect our users and their data by responsibly identifying new security issues for us to fix, you are awesome and monetary rewards are possible. Qualifying bugs will be rewarded based on severity. Rewards are granted entirely at the discretion of OMR. Publicly disclosing your bug without coordinating with us may lead to being ineligible for a bounty. We will judge this on a case by case basis.

Applications in Scope

Any OMR services available from the Internet and any software developed by OMR. This includes all of our web applications as well as all of the apps we release.
If OMR has to implement a code change to fix the security bug, it most likely qualifies for a bounty.
Find a security vulnerability? Send it our way so we can get on it. This might include:

  • Web security problems (e.g. cross-site scripting and SQL injection problems)
  • Other security concerns (e.g. infrastructure security problems, information disclosure issues)
  • Bugs that are not in OMR owned software, such as our Support portal – Helpdesk or any of our Podcast Platforms should be reported to the organisations behind those products.

Pro-Tips for Scoring A Bounty

Reports that are more likely to qualify for a bounty have:

  • Easy-to-follow reproduction steps
  • Bug Titles that specify the scope of the vulnerability
  • Clear details about how the vulnerability can be directly leveraged as part of an exploit against users or OMR
  • Please take care to minimize the impact to other users by using our staging environment.
  • Examples of bug types that commonly qualify for a bounty include XSS, SQL injection, authorization issues and the like
  • Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to OMR;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
  • Please keep in mind that low impact bugs will take a while for us to fix.

Out-of-scope Vulnerabilities

The following issues are outside the scope of our rewards program:

  • Issues related to networking protocols or industry standards not controlled by OMR.
  • Any vulnerability requiring a browser with deliberately weakened security features, for example re-enabling Flash (.swf).
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
  • Login/logout CSRF.
  • Attacks requiring physical access to a user’s device;
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Self-XSS (we require evidence on how the XSS can be used to attack another User or Employee).
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
  • Absence of rate limiting, unless related to authentication.

The following issues are outside the scope of our rewards program, and are not considered “authorized” conduct:

  • Physical attacks against OMR offices and venues.
  • Social engineering of Employees, our partners, or contractors.
  • Any vulnerability obtained through the compromise of a Employee or user account: if you need to test a vulnerability, create another account; don’t take someone else’s. This type of activity will result in disqualification from the program permanently
  • Any vulnerability found through the use of a botnet, compromised site, or a DDoS Cannon (any tool that generates a significant volume of traffic)
  • Disrupting or negatively impacting non-consenting users will disqualify your submission

Consequences of complying with this policy

We will not pursue civil action or initiate a complaint to law enforcement for violations of this policy that we, in our sole discretion, determine are accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with OMR’s bug bounty policy, OMR will take steps to make it known that your actions were conducted in compliance with this policy.
Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. OMR employees and their family members are not eligible for bounties.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, OMR reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.

You can contact us here