Responsible Disclosure

Security researchers are a crucial part of a resilient platform. Open Doors welcomes reports of vulnerabilities from the community and commits to acting on them quickly and transparently.

How to report

• Email security@opendoors.ai with a clear write-up.
• Include steps to reproduce, affected endpoints/URLs, impact, and any proof-of-concept.
• Optional: PGP-encrypt using our key (fingerprint published on this page when the key is rotated; request the current key from the above address).

What happens next

• Acknowledge within 2 business days.
• Triage and assign severity within 5 business days.
• Remediate high-severity issues with urgency and keep you updated on progress.
• Credit you in our security advisories at your option.

Safe harbour

We will not pursue legal action against researchers who, in good faith:

• Test only against accounts they own or have explicit permission to test.
• Do not violate privacy, destroy data, or disrupt the Services.
• Avoid social engineering against our staff, customers, or vendors.
• Do not exfiltrate or retain customer data beyond what is strictly necessary to demonstrate the issue.
• Disclose publicly only after we confirm the issue is fixed or mutually agreed.
• Comply with applicable law.

Out of scope

• Denial-of-service testing, volumetric testing, or physical attacks.
• Social engineering of staff, partners, or customers.
• Automated scanning that degrades performance for other users.
• Reports that require highly unlikely user interaction without impact.
• Missing best-practice headers without demonstrable impact.
• Vulnerabilities in third-party services we embed — please report those to the vendor directly.

Bug bounty

We operate a private bug-bounty programme for demonstrated researchers. If you would like an invitation, include a brief history of your prior disclosures in your first report and we will consider inviting you to the programme.