Vulnerability Disclosure Policy

Effective Date: May 28, 2026

OHDibs values the work of independent security researchers and welcomes good-faith reports of vulnerabilities. This policy explains what is in scope, how to report a vulnerability, what to expect from us in return, and the legal safe harbor we extend to researchers who follow this policy.

1. Scope

In scope

This policy covers the OHDibs public marketing website:

  • https://www.ohdibs.com
  • https://ohdibs.com (which redirects to www)

Out of scope

The following are explicitly out of scope. Reports about these targets will be acknowledged but not actioned under this policy:

  • Any OHDibs application surface served at per-tenant subdomains (for example *.ohdibs.com) — these are separate systems with their own security program.
  • Third-party services that the marketing site integrates with, including Formspree, Calendly, Stripe, Google Analytics, and Microsoft 365. Report issues with those services to their respective vendors.
  • The underlying AWS console, IAM, or cloud-infrastructure layer.
  • Denial-of-service, distributed denial-of-service, or load testing of any kind.
  • Social-engineering attacks against OHDibs staff, contractors, or customers.
  • Physical attacks against OHDibs property, offices, or personnel.
  • Automated scanning at rates above 10 requests per second.

2. Safe Harbor

OHDibs will not pursue or support legal action against researchers who report vulnerabilities in good faith following this policy, provided the researcher:

  • Makes a good-faith effort to avoid privacy violations, data destruction, and service interruption.
  • Provides OHDibs a reasonable time to investigate and address the issue before any public disclosure.
  • Does not exploit the issue beyond what is necessary to demonstrate it.

If your research is consistent with this policy, we will work with you to understand and resolve the issue, and OHDibs will not initiate or support a legal claim against you for that work. If a third party initiates a claim against you for activity that complied with this policy, we will make this authorization known.

3. How to Report

Send vulnerability reports to security@ohdibs.com. Please include, where possible:

  • A clear description of the vulnerability.
  • The exact URL, request, or step-by-step reproduction.
  • The potential impact as you see it.
  • Any supporting evidence (screenshots, request/response captures, proof-of-concept code) — strip any third-party data from these before sending.

An RFC 9116 security.txt file is also published at /.well-known/security.txt with the same contact information.

4. Disclosure Timeline

Our standard cadence on a valid report:

  • Within 5 business days: we acknowledge receipt and assign a point of contact.
  • Within 30 days: we provide an initial status update, including whether we can reproduce the issue and our preliminary view of severity.
  • Within 90 days: we aim to deploy a fix or, if more time is needed, agree with the reporter on an extended timeline.

We ask researchers to hold public disclosure until a fix is deployed, or until the agreed timeline expires.

5. What We Will Not Do

  • We will not initiate legal action against researchers who follow this policy.
  • We will not share identifying information about a reporter with third parties without their permission, except as required by law.

6. Recognition

OHDibs does not currently offer a paid bug bounty. We are happy to credit researchers (by name, handle, or anonymously, at the reporter's choice) once a reported issue has been resolved, if the reporter would like that recognition.

7. Changes to This Policy

This policy may be updated from time to time. The effective date above reflects the most recent revision. Material changes to scope, safe harbor, or disclosure timeline will be noted in the revision history of the public OHDibs marketing-site repository.

8. Contact

Security reports: security@ohdibs.com

General contact: info@OHDibs.com — (850) 764-3427

Thank you for helping keep OHDibs and its users secure.