Security at ObserveOne

If you think you've found a vulnerability in anything we run, we want to hear about it. This page is the short version of how to tell us and what happens next. The companion machine-readable file lives at /.well-known/security.txt.

Reporting

Email [email protected]. One mailbox, a real person reads it. Please don't open a public GitHub issue or post about it on social before we've had a chance to look.

Useful things to include: the affected URL or endpoint, the steps you took, what you saw, and what you think the impact is. A working proof of concept is great but not required.

What we promise

We acknowledge inside two business days. We give you a real reply with our read on severity inside five business days. We don't shoot the messenger. Good-faith research that follows this page won't put you on the wrong side of us.

If the bug is serious, you'll hear from us the same day. If it's a duplicate or a known issue, we'll say so plainly instead of stringing you along.

Scope

In scope: www.observeone.com and any subdomain we own. Out of scope: third-party services we depend on (report those to the vendor), social engineering of our staff, denial-of-service tests, and physical attacks against our offices or hardware. If you're unsure, ask first.

Disclosure

We work to coordinated disclosure. You can publish after we've shipped a fix, or after 90 days from your initial report, whichever comes first. If you want credit on a future acknowledgements page, tell us how you'd like to be named.

More about who we are and what we do at /about, or get in touch on the contact page.

Frequently asked questions

Where do I send a report?
Email [email protected]. Include a clear description, the URL or endpoint, the steps to reproduce, and what you saw versus what you expected. PoC code is welcome but not required.
How fast will you respond?
We acknowledge within two business days. A first technical reply with our read on severity usually lands inside five business days. If something is actively exploitable in production we move on it the same day.
What's in scope?
Anything on www.observeone.com, our marketing site, our app surface, and any subdomains we own. Third-party services we use (Vercel, Railway, Cloudflare, Amplitude) are not in scope here. Report those to the vendor.
Do you pay bounties?
We don't run a paid bounty program yet. We do credit reporters publicly if they want it, and we'll send a thank-you and some company swag for anything material.
Can I publish my findings?
Yes, after we've shipped a fix or 90 days have passed, whichever comes first. We'd rather coordinate the timing with you than dictate it, so just let us know.