# Olilo Security Policy

At Olilo, we take security seriously. We're a small but security-focused ISP built by network engineers who actually give a damn.

If you've discovered a vulnerability that affects our infrastructure, services, or users - first off, thank you. We appreciate responsible disclosure and will do our best to work with you quickly and transparently.

## Disclosure Guidelines

- Email us at: security@olilo.co.uk
- URL: https://hackerone.com/17e17769-62e2-4c56-825b-15d5cf446465/embedded_submissions/new
- Please provide as much detail as possible (e.g. IPs, URLs, headers, PoCs)
- Give us a reasonable amount of time to investigate and fix the issue before public disclosure (we aim for 7-14 days for critical, faster if urgent)

## What's In Scope

We welcome reports for:
- Vulnerabilities in our customer portal, API, router firmware, and core services
- Network-level exploits that affect customers or routing
- Authentication/authorization bypasses
- Information leaks (data exposure, DNS misconfigs, etc.)

## What's Out of Scope

- Denial of Service (DoS) attacks
- Self-XSS or social engineering against staff/customers
- Missing SPF/DMARC/SSL headers that don't present risk
- Issues on 3rd-party platforms we use (like Stripe or Discord)

## Legal Bits

We promise not to take legal action against researchers who:
- Act in good faith
- Don't exploit the issue beyond what's needed for proof
- Don't access or modify data that isn't theirs

---

Thank you for helping keep Olilo (and the internet) a bit safer.

- The Olilo Team