Vulnerability Disclosure Policy (VDP)

We recognize the vital role security researchers play. Please report any potential vulnerabilities in Octopyder XDR or associated websites by following our Coordinated Vulnerability Disclosure guidelines.

1. Reporting Method & PGP Key

For all vulnerability submissions (Product or Non-Product related), please contact our Product Security Incident Response Team (PSIRT) directly:

Submit your findings:

admin@Octopyder.com

For enhanced security, our PGP key for encrypted communication can be found here.

2. Responsible Disclosure Guidelines

Please DO:

  • Share the security issue with us before making it public.
  • Provide full details, including steps to reproduce, POC code, and system details.
  • Wait until notified that the vulnerability has been resolved before public disclosure.
  • Notify us promptly if planning a conference presentation date.

Please DO NOT:

  • Cause potential or actual damage to any user, system, or application.
  • Use an exploit to view unauthorized or corrupt data.
  • Request compensation (bounty) for reporting security issues.
  • Engage in disruptive testing (e.g., DoS) or social engineering/phishing.

3. Accepted Vulnerabilities (In Scope)

We prioritize reports that demonstrate a direct security impact on:

  • Product: All major vulnerabilities in Octopyder XDR and its Sharabha ML engine affecting data isolation, remote code execution (RCE), authentication bypass, and critical server-side flaws.
  • Web: OWASP Top 10 categories, including authenticated XSS, SQL Injection, and critical access control flaws on our primary domains.
  • Endpoint Agents: Critical vulnerabilities allowing privilege escalation or agent bypass.

4. Out of Scope Vulnerabilities (Low Impact)

The following issues are generally considered low impact and are excluded from our VDP:

  • Theoretical, unexploitable vulnerabilities (without a functional POC).
  • Missing/Incomplete SPF/DMARC/DKIM records.
  • Issues related to password/credential strength, length, or lack of rate limiting (unless resulting in an account compromise).
  • Clickjacking/UI redressing without a clear security impact.
  • Low impact Information disclosures (e.g., software version disclosure).
  • Missing non-security HTTP Headers or Cookie flags.
  • Self-XSS (requiring the victim to perform unlikely actions).
  • Any vulnerability affecting users of outdated browsers or platforms.

Researcher Acknowledgements

We value the contributions of the security community. Please review our Security Researcher Acknowledgements page for a list of individuals who have helped secure our products and services.