Vulnerability Disclosure Policy · RFC 9116

Found a security issue? Report it — we'll work it with you.

We welcome good-faith security research and we want to hear about vulnerabilities in Olto Discovery. This policy explains what is in scope, the rules we ask you to follow, our commitment not to pursue you for good-faith research, and what you can expect after you report. It complements the machine-readable security.txt we publish under RFC 9116.

At a glancev1.0 · July 2026
We aim to acknowledge
Within a few business days
Rewards
No monetary rewards at this time
Disclosure
Coordinated — hold details until a fix ships
Scope

What is — and is not — in scope.

Test only the systems below, and only using accounts and data you control. If you are unsure whether something is in scope, ask us first.

In scope
  • www.oltodiscovery.com
    the public marketing and documentation site
  • The Olto Discovery web application
    the authenticated dashboard and its API routes at the same origin
  • Our published security surfaces
    HTTP security headers, session and authentication flows, tenant-isolation (row-level security) boundaries
Out of scope
  • Third-party providers
    Supabase, Vercel, Anthropic, Stripe, Resend, PostHog, Google Analytics, and hCaptcha — report issues in their systems to those vendors directly, under their own policies
  • Denial-of-service (DoS / DDoS)
    volumetric, resource-exhaustion, or availability attacks against the site or its infrastructure
  • Social engineering
    phishing or pretexting our team, customers, contractors, or vendors
  • Physical and supply-chain attacks
    physical access to offices or hardware, or tampering with third-party dependencies
  • Findings that require a compromised device or a privileged position
    malware on a victim’s machine, a rooted device, or already-privileged network access
Safe harbor

Good-faith research is welcome.

If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorized, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. We consider activity conducted consistently with this policy to be authorized under the applicable computer-fraud and anti-hacking laws, and exempt from restrictions in our Terms of Service that would otherwise conflict with good-faith security research.

This protection applies only to good-faith research that stays within the scope and rules described here. It does not authorize you to violate the privacy of our users, disrupt the Service, or access data beyond what is necessary to demonstrate a vulnerability. If legal action is initiated by a third party against you for activity conducted under this policy, and you have complied with it, we will take steps to make it known that your actions were authorized.

Rules of engagement

What we ask you not to do.

These rules keep research safe for our users and for you. Testing that breaks them falls outside the safe harbor above.

  • No denial-of-service (DoS / DDoS), load, stress, or resource-exhaustion testing of any kind.
  • No social engineering, phishing, or pretexting of our staff, users, contractors, or vendors.
  • No accessing, modifying, deleting, or exfiltrating data that does not belong to you — use only test accounts you control.
  • No automated, high-volume scanning that degrades service, floods the audit log, or generates disruptive traffic; keep request rates reasonable.
  • No physical intrusion, and no attacks against third-party services or infrastructure we do not operate.
  • No public disclosure of a vulnerability, or its details, before we have had a reasonable opportunity to remediate and agree on timing with you.
Handling what you find

If you access data that isn't yours, stop.

  1. If a vulnerability gives you access to data that is not yours, stop immediately. Access only the minimum needed to confirm the issue exists.
  2. Do not view, copy, download, store, transfer, retain, or share any data belonging to other users. Take only the notes or screenshots needed to demonstrate the finding, and redact personal data where you can.
  3. Report the exposure to us promptly, and securely delete any incidentally accessed data once you have submitted your report.
  4. Never use a vulnerability to degrade the Service, pivot to other systems, or maintain persistent access.
How to report

Send it to our security team.

Email security@oltodiscovery.com — the same address published in our /.well-known/security.txt. A clear, reproducible report helps us validate and fix the issue faster.

Please include
  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce it, with any URLs and parameters
  • A proof of concept (request/response, script, or screenshot) where possible
  • The affected component and your test account, so we can trace it
  • Any suggested remediation, if you have one
What to expect from us

Acknowledge, triage, fix, coordinate.

01
Acknowledgment
We aim to acknowledge a good-faith report within a few business days. This is a target, not a contractual service level — response times vary with report volume and complexity.
02
Triage & validation
We review each report, attempt to reproduce the issue, and assess its impact and severity. We may follow up for clarification or a proof of concept.
03
Remediation
When we confirm a valid vulnerability, we prioritize a fix according to its risk and work it through our normal engineering and release process.
04
Coordinated disclosure
We ask that you keep findings confidential until a fix is deployed, and we will coordinate any public disclosure and timing with you. We are happy to credit you if you would like acknowledgment.
Recognition

Rewards.

We do not currently offer monetary rewards or a paid bug-bounty program for vulnerability reports. We are, however, genuinely grateful for responsible research, and — with your permission — we are happy to publicly acknowledge and credit researchers whose reports lead to a fix.

Policy version

Version 1.0 · last updated July 2026. We may revise this policy from time to time; the version and date above reflect the current text. This policy is offered by Velora Biotech LLC, operator of Olto Discovery, and complements our machine-readable security.txt.