We run an open responsible-disclosure policy. If you've found a security issue in an Olilo system, get in touch - we'll investigate quickly, fix fast, and credit you if you'd like.
Email is the fastest route. We aim to acknowledge reports within one working day and provide a substantive update within five working days. If the issue is actively being exploited, mark the subject “URGENT” and we'll escalate immediately.
Email security teamFollow these and we'll treat your report as good-faith research under our safe harbour.
Test against your own account. Don't touch other customers' data, don't pivot between environments, and don't exfiltrate more than the minimum needed to prove the issue.
If you accidentally access personal data, stop, don't save copies, and tell us in the report. We treat this as evidence of a finding, not an abuse.
Give us reasonable time to investigate and ship a fix before you go public. We'll agree a disclosure window with you and credit you when it's fixed if you'd like us to.
If you act in good faith and follow this policy, we won't pursue legal action or contact law enforcement. You're helping us, not attacking us.
What's in scope for this policy, and what you shouldn't touch.
A good report gets triaged and fixed faster. We're happy with prose, proof-of-concept code, screen recordings, or all three. The more reproducible, the better.
We don't currently run a paid bug bounty, but we're happy to credit researchers publicly on this page (if you want), and we send a genuine thank-you. As we grow, we'll look at formalising a bounty - if that matters to you, tell us in your report.
