Vulnerability Disclosure Policy

If you would like to report a vulnerability or have a security concern regarding OwnBackup products and services, please email ownbackup.vdp@ownbackup.com. We will respond to  you and acknowledge receipt of your report within three business days.

Once your report has been submitted, we will work to validate the reported vulnerability and will reach out to you if additional information is required.

To help us triage and remediate potential findings, the vulnerability report should:

• Describe the vulnerability, precisely where it was discovered, and the real-world impact.

• Reports from automated scanning tools are not accepted.
• Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
• Please include one vulnerability per report (unless in an attack chain).
• Don’t report automated scanner results without proof of exploitability.

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the OwnBackup security team and associated development organizations will use reasonable efforts to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report.

• Provide an estimated time frame for addressing the vulnerability report.
• Notify you when the vulnerability has been fixed.

We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at OwnBackup. The full copy OwnBackup Vulnerability Disclosure Policy be found here.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.