What is — and is not — in scope.
Test only the systems below, and only using accounts and data you control. If you are unsure whether something is in scope, ask us first.
- www.oltodiscovery.comthe public marketing and documentation site
- The Olto Discovery web applicationthe authenticated dashboard and its API routes at the same origin
- Our published security surfacesHTTP security headers, session and authentication flows, tenant-isolation (row-level security) boundaries
- Third-party providersSupabase, Vercel, Anthropic, Stripe, Resend, PostHog, Google Analytics, and hCaptcha — report issues in their systems to those vendors directly, under their own policies
- Denial-of-service (DoS / DDoS)volumetric, resource-exhaustion, or availability attacks against the site or its infrastructure
- Social engineeringphishing or pretexting our team, customers, contractors, or vendors
- Physical and supply-chain attacksphysical access to offices or hardware, or tampering with third-party dependencies
- Findings that require a compromised device or a privileged positionmalware on a victim’s machine, a rooted device, or already-privileged network access
Good-faith research is welcome.
If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorized, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. We consider activity conducted consistently with this policy to be authorized under the applicable computer-fraud and anti-hacking laws, and exempt from restrictions in our Terms of Service that would otherwise conflict with good-faith security research.
This protection applies only to good-faith research that stays within the scope and rules described here. It does not authorize you to violate the privacy of our users, disrupt the Service, or access data beyond what is necessary to demonstrate a vulnerability. If legal action is initiated by a third party against you for activity conducted under this policy, and you have complied with it, we will take steps to make it known that your actions were authorized.
What we ask you not to do.
These rules keep research safe for our users and for you. Testing that breaks them falls outside the safe harbor above.
If you access data that isn't yours, stop.
- If a vulnerability gives you access to data that is not yours, stop immediately. Access only the minimum needed to confirm the issue exists.
- Do not view, copy, download, store, transfer, retain, or share any data belonging to other users. Take only the notes or screenshots needed to demonstrate the finding, and redact personal data where you can.
- Report the exposure to us promptly, and securely delete any incidentally accessed data once you have submitted your report.
- Never use a vulnerability to degrade the Service, pivot to other systems, or maintain persistent access.
Send it to our security team.
Email security@oltodiscovery.com — the same address published in our /.well-known/security.txt. A clear, reproducible report helps us validate and fix the issue faster.
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce it, with any URLs and parameters
- A proof of concept (request/response, script, or screenshot) where possible
- The affected component and your test account, so we can trace it
- Any suggested remediation, if you have one
Acknowledge, triage, fix, coordinate.
Rewards.
We do not currently offer monetary rewards or a paid bug-bounty program for vulnerability reports. We are, however, genuinely grateful for responsible research, and — with your permission — we are happy to publicly acknowledge and credit researchers whose reports lead to a fix.
Policy version
Version 1.0 · last updated July 2026. We may revise this policy from time to time; the version and date above reflect the current text. This policy is offered by Velora Biotech LLC, operator of Olto Discovery, and complements our machine-readable security.txt.