Bug Bounty Program: Security-Related Questions Policy Overview: At OSL, we are committed to maintaining the security and integrity of our systems. We appreciate the efforts of the security community in helping us identify and address potential vulnerabilities through our Bug Bounty Program. Policy: Security-Related Questions: We encourage security researchers to reach out with security-related questions that pertain to the responsible disclosure of vulnerabilities in our systems. Questions can be submitted through our designated communication channels, email us at itsecurity@osl.com. Bug Bounty Assessment: Our bug bounty program operates on a case-by-case basis. Security researchers are encouraged to submit vulnerability detailed reports including Impact, related risks, POC, ways to reproduced, solutions and recommendations to itsecurity@osl.com. Each submission will be assessed individually by our security team. Timely Response: We are committed to providing a timely response to security-related questions and bug bounty submissions. Researchers can expect an initial acknowledgment of their submission within 20 business days for us to go through our internal process. Case-by-Case Reward Approach: Our security team will review and assess each bug bounty report on a case-by-case basis. Bug bounty reports will be evaluated based on the impact, severity, and exploitability of the reported vulnerability. We appreciate the unique context and circumstances surrounding each vulnerability, and our assessment will consider these factors to determine the reward. We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. Communication: Effective and transparent communication is essential. We will strive to keep security researchers informed of the status and progress of their bug bounty submissions. Acknowledgment and Rewards: Valid bug reports that meet our criteria will be eligible for acknowledgment and rewards, as outlined in our internal Bug Bounty Program on case-by-case basis. Non-Disclosure: We request security researchers to refrain from disclosing any vulnerabilities publicly until we have had sufficient time to address and resolve the issue. You should not intentionally access personally identifiable information (PII) other than your own. If you suspect you have accessed, disrupted or compromise any PII, report the vulnerability immediately and do not attempt to access any other data. You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward. Continuous Improvement: We value feedback from the security community and are committed to continuously improving our Bug Bounty Program based on the insights and experiences shared by researchers. By adhering to this policy, we aim to foster a collaborative and positive relationship with the security community and ensure the ongoing security of our systems. For any inquiries or to report a vulnerability, please contact us at itsecurity@osl.com. Thank you for your dedication to making the internet a safer place. # Contact Info Contact: itsecurity@osl.com # Security file expiration date Expires: 2025-01-01T16:00:00z # Hiring information for security roles: Hiring: https://osl.com/careers # Security file location Canonical: https://osl.com/security.txt