OpenOS Technologies

Security Research

How to report security issues responsibly to OpenOS.

OpenOS publishes a Vulnerability Disclosure Policy to help customers and security researchers report valid security findings safely, clearly, and with shared expectations around authorized testing and disclosure.

Last updated 07 May 2026

Scope and reporting

The Vulnerability Disclosure Policy applies to OpenOS-owned and operated systems, applications, and services, including openost.com and related product domains. It explicitly excludes third-party services, vendor infrastructure, partner systems, and other external platforms not owned by OpenOS.

Researchers and customers who believe they have identified a vulnerability are asked to report it responsibly by email to hello@openost.com and include a detailed description, reproduction steps, affected URLs or endpoints, proof of concept information where applicable, impact assessment, and contact details for follow-up.

OpenOS commitments

The policy states that OpenOS will make reasonable efforts to acknowledge reports, investigate findings, communicate progress where appropriate, and prioritize remediation based on severity, impact, and risk. The source document notes a target of acknowledging reports within five business days.

Authorized and prohibited activity

OpenOS states that responsible, non-destructive testing and vulnerability identification are generally acceptable when they do not compromise customer data, platform stability, or service availability. The policy also asks researchers to act in good faith, avoid privacy violations, minimize impact, and provide OpenOS reasonable time to investigate and remediate issues before public disclosure.

The policy explicitly prohibits activities such as unauthorized access to customer or personal data, denial-of-service attacks, large-scale or disruptive automated exploitation, phishing or social engineering, physical intrusion, malware deployment, and destructive payload testing.

Safe harbor and program status

OpenOS states that it will not pursue legal action against individuals who act in good faith, comply with the policy, promptly report vulnerabilities, avoid causing harm, and respect privacy and confidentiality. The safe harbor does not extend to illegal activity, extortion, unauthorized data access, service disruption, or destructive behavior.

The policy also notes that OpenOS does not currently operate a public bug bounty program unless one is explicitly announced through official channels, and that submission of reports does not guarantee financial rewards or recognition.

Security findings should be reported to hello@openost.com. The downloadable Word source is available above for teams that require the original policy document.