Vulnerability Disclosure Policy

Omnierax is committed to maintaining the security of its products and systems. We welcome responsible disclosure from security researchers and the broader technical community and commit to responding in a timely, transparent, and respectful manner.

This policy documents what to report, how to report it, our commitments in response, the scope of our safe-harbor protections, and how the disclosure timeline works.

1What to Report

1.1The Omnierax Website

omnierax.com and subdomains — authentication, form processing, API endpoints, content delivery, and supporting infrastructure.

1.2Trust Portal and Documentation Hub

Authentication, access control, and content security in registered-access sections.

1.3API Endpoints

Public and documented API endpoints and any discovered through legitimate research.

1.4Mobile Applications

Official Omnierax mobile applications if and when published.

We do not operate a public bug bounty program at this time. A private bounty program for invited researchers exists — contact security@omnierax.com for consideration.

2Out of Scope

2.1Commercial Platform Products

Sentinel, Cortex AI, Maximus, Vertical Solutions, Aegis, Orbital — require a separate authorized assessment agreement.

2.2Customer Infrastructure

Out of scope entirely.

2.3Social Engineering

No social engineering against employees, contractors, or customers.

2.4Physical Security

No physical testing of facilities.

2.5Denial of Service

No DoS or resource exhaustion testing.

2.6Third-Party Services

Report directly to the relevant vendor.

2.7Unverified Automated Scans

Submissions without manual verification are not in scope.

3How to Report

Primary Channel: security@omnierax.com

PGP: Public key at omnierax.com/security/pgp. Fingerprint to be populated upon key generation.

Include in Your Report:

Vulnerability type (e.g., SQL injection, authentication bypass, IDOR, XSS).
Affected URL, endpoint, or system component.
Step-by-step reproduction instructions.
Potential impact as you assess it.
Proof-of-concept code or screenshots.
Your contact information for follow-up.

Do Not Include: PII of Omnierax customers or users encountered in research, even as evidence. Describe encountering it without including it.

4Our Commitments

4.1Acknowledgment

Within 2 business days. If you do not receive acknowledgment within 5 business days, follow up with "FOLLOW-UP" in the subject.

4.2Initial Assessment

Within 10 business days — reproducibility and preliminary severity classification.

4.3Communication

Status updates at least every 15 business days. We will not go silent.

4.4Remediation Timeline

Critical (CVSS 9.0–10.0): 30 days from confirmation.
High (CVSS 7.0–8.9): 60 days.
Medium (CVSS 4.0–6.9): 90 days.
Low (CVSS <4.0): 180 days or next major release.
Informational: at engineering team's discretion.

4.5Acknowledgment and Credit

With permission, we credit you publicly — by name, by organization, or anonymously. Out-of-scope or duplicate reports are not credited.

4.6Disclosure Coordination

Standard coordinated disclosure window: 90 days from confirmation. Extensions are explained; we do not request indefinite embargo.

5Safe Harbor

Omnierax will not initiate legal action against researchers who:

Discover and report vulnerabilities in accordance with this policy.
Make a good-faith effort to avoid accessing, modifying, deleting, or disclosing data beyond what is minimally necessary.
Do not exploit the vulnerability beyond demonstrating its existence to Omnierax.
Do not publicly disclose before coordinating with us.
Do not research out-of-scope systems.
Do not degrade availability or performance for other users.

This safe harbor does not apply to activities that violate laws unrelated to security research. Good-faith research within this policy is treated as authorized access, and we will communicate that position to law enforcement if appropriate.

6Disclosure History

We maintain a public chronological record of confirmed vulnerabilities, severity, response timeline, and researcher credits (with permission) at omnierax.com/security/disclosures, updated quarterly.

OMNIERAX VULNERABILITY DISCLOSURE POLICY