Security

Responsible Disclosure Policy

Oviva is committed to maintaining the security of our products, services, and customer information. We appreciates and values the identification and reporting of security vulnerabilities carried out by well-intentioned, ethical security researchers. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Oviva would like to working with security researchers to verify and address any reported potential vulnerabilities.

Our Principles

  • Please do not make vulnerabilities public without notifying us and giving us at least 2 business days to respond.

  • We will work together with you to understand the severity of the issue and estimate the timelines for disclosure.

  • We will Notify you when the vulnerability has been fixed, so that further testing can be done to confirm the remediation.

  • Please note that Oviva does not offer a bug bounty program. This means that Oviva does not pay rewards for disclosed security vulnerabilities. However, on a case by case basis, in consultation, we will consider providing public acknowledgement of your support.

How to Report

If you believe you have found a security vulnerability, please submit your report to us using the following email address: security@oviva.com

Your report should include details of:

  • Type of vulnerability or issue

  • Service, product or URL affected

  • Special configuration or requirements to reproduce the issue

  • Information necessary to reproduce the issue

  • Impact of the vulnerability together with an explanation of how an attacker could find it and exploit it

We welcome anonymous reports but we will not be able to share updates on the follow-up of the report.

Ethical engagement rules

Certain hacking activities constitute criminal actions. To protect you and us please act in good faith and follow these rules of ethical engagement:

Must do:

  • Report the vulnerability to us in the manner set out above

  • Always comply with data protection rules and must not violate the privacy of our users, staff, contractors, services or systems

  • Report the vulnerability as soon as you can, to prevent that threat actors exploit the vulnerability before we have a chance to fix it

  • Report the vulnerability with us while keeping the information confidential (in particular if it concerns personal data).

Must NOT do:

  • Break any applicable law or regulations

  • Access unnecessary, excessive or significant amounts of data or modify data in our systems or services

  • Submit reports detailing non-exploitable vulnerabilities or reports indicating that the services do not fully align with “best practice”, for example missing security headers

  • Demand financial compensation in order to disclose any vulnerabilities

  • Disclose the vulnerability to others

  • Use social engineering to gain access to our IT infrastructure or services

  • Install your own backdoor in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks

  • Exploit a vulnerability further than necessary to confirm the vulnerability finding

  • Download, Modify or remove data from system

  • Modify the system

  • Use Denial of Service attacks or brute force

  • Use phishing

  • Use aggressive automated scanning

  • Negatively impact the Confidentiality, Integrity or Availability of our services

  • Execute code on our systems

  • Attempt to penetrate the system further than necessary to confirm the vulnerability finding

Contact

If you need further details or clarifications on this policy, please contact us at: security@oviva.com.