Security at ObserveOne
If you think you've found a vulnerability in anything we run, we want to hear about it. This page is the short version of how to tell us and what happens next. The companion machine-readable file lives at /.well-known/security.txt.
Reporting
Email [email protected]. One mailbox, a real person reads it. Please don't open a public GitHub issue or post about it on social before we've had a chance to look.
Useful things to include: the affected URL or endpoint, the steps you took, what you saw, and what you think the impact is. A working proof of concept is great but not required.
What we promise
We acknowledge inside two business days. We give you a real reply with our read on severity inside five business days. We don't shoot the messenger. Good-faith research that follows this page won't put you on the wrong side of us.
If the bug is serious, you'll hear from us the same day. If it's a duplicate or a known issue, we'll say so plainly instead of stringing you along.
Scope
In scope: www.observeone.com and any subdomain we own. Out of scope: third-party services we depend on (report those to the vendor), social engineering of our staff, denial-of-service tests, and physical attacks against our offices or hardware. If you're unsure, ask first.
Disclosure
We work to coordinated disclosure. You can publish after we've shipped a fix, or after 90 days from your initial report, whichever comes first. If you want credit on a future acknowledgements page, tell us how you'd like to be named.
More about who we are and what we do at /about, or get in touch on the contact page.
Frequently asked questions
- Where do I send a report?
- Email [email protected]. Include a clear description, the URL or endpoint, the steps to reproduce, and what you saw versus what you expected. PoC code is welcome but not required.
- How fast will you respond?
- We acknowledge within two business days. A first technical reply with our read on severity usually lands inside five business days. If something is actively exploitable in production we move on it the same day.
- What's in scope?
- Anything on www.observeone.com, our marketing site, our app surface, and any subdomains we own. Third-party services we use (Vercel, Railway, Cloudflare, Amplitude) are not in scope here. Report those to the vendor.
- Do you pay bounties?
- We don't run a paid bounty program yet. We do credit reporters publicly if they want it, and we'll send a thank-you and some company swag for anything material.
- Can I publish my findings?
- Yes, after we've shipped a fix or 90 days have passed, whichever comes first. We'd rather coordinate the timing with you than dictate it, so just let us know.