← Trust CenterResponsible Disclosure
We rely on the security research community to keep ORCONIC safe. This page is the contract: how to report, what we promise back, and where the safe-harbour begins and ends.
1 — How to report
- Email security@codaiq.com — preferred channel.
- Encrypted reports: GPG key available on request via security@codaiq.com.
- Public advisories are published in the Trust Center and the Changelog.
- Please include: affected URL/endpoint, reproduction steps, expected vs observed behaviour, severity estimate (CVSS v3.1 if you have it), and your preferred name + handle for the hall of fame.
2 — What you can expect from us (SLA)
- Initial acknowledgement: within 2 business days (Europe/Berlin).
- Triage decision: within 7 calendar days — accepted, duplicate, out-of-scope, or informational.
- Fix timeline (target):Critical < 7d, High < 30d, Medium < 90d, Low / informational on a best-effort basis.
- Coordinated disclosure: we agree on a public- disclosure date with you, default 90 days after the fix lands.
- Credit: hall-of-fame mention below. We do not currently run a paid bounty programme — see section 5.
3 — Scope
In scope:
- orconic.com (production application + marketing)
- *.orconic.com (subdomains pointing at our infrastructure)
- orconic.com, *.orconic.com
- API endpoints under /api/* on the above hosts
- Public iOS / Android apps (when released)
Out of scope:
- Third-party services (Supabase, Vercel, Stripe, OpenAI, …) — report to the vendor
- Phishing / social-engineering attacks against employees outside the bug-bounty terms
- Self-XSS and rate-limiting issues without a security impact
- Vulnerabilities requiring a rooted device or pre-existing local admin
- Missing security headers without a demonstrated exploit chain
- Best-practice advice without a working PoC (e.g. "you should use CSP")
4 — Safe-harbour terms
We will not pursue civil or criminal action against you, nor ask law enforcement to do so, as long as you:
- act in good faith and avoid privacy violations, destruction of data, and interruption or degradation of our services;
- only test against accounts you control or have explicit permission to test;
- give us a reasonable period to address the issue before any public disclosure;
- do not exploit a security issue beyond what is necessary to demonstrate it.
This safe-harbour does not authorise activity that violates applicable law, third-party rights, or the rights of our users.
5 — Bounty (or lack thereof)
We do not currently operate a paid bug-bounty programme. Reports are rewarded with public credit (with your consent), ORCONIC swag (subject to logistics), and, for repeat researchers, a paid consultation slot with our engineering team. We will revisit cash bounties once the SOC 2 Type I report lands (target Q4 2026).
6 — Hall of Fame
The first credible reporter will be listed here. We're starting fresh — be the first to make the list.