Safe harbor
Good-faith reports that avoid data exfiltration, service disruption, persistence, and social engineering will be reviewed constructively.
Responsible disclosure
This policy covers the public marketing site and, when launched, OLYDI-hosted product surfaces. Do not test customer repositories, third-party accounts, or data you do not own.
Good-faith reports that avoid data exfiltration, service disruption, persistence, and social engineering will be reviewed constructively.
Include affected URL, steps to reproduce, impact, timestamp, and your preferred contact details. Do not include secrets in the report.
Do not access customer repositories, third-party accounts, production secrets, payment systems, or data you do not own. Stop testing if you encounter sensitive data.
Use the OLYDI security public key at /pgp.txt for sensitive report details. The key fingerprint is 5D00 061E BD14 25D6 DF39 5912 67B4 380C BA78 0FD6.
Valid reports should receive acknowledgement, triage, remediation status, and closure notes. Public disclosure timing is coordinated case by case.
The launch security contact is available at /.well-known/security.txt.