ORE2B ORE2B

Legal Documents

These documents are legally binding

Vulnerability Disclosure Policy (VDP)

v1.0 01/03/2025 23/09/2025

1. Introduction

Cagatay Guley, trading as ORE2B ("ORE2B", "we", "us", or "our") is committed to ensuring the security of our services, our platform, and our users' data. We value the contributions of the independent security research community in helping us maintain a secure environment. This Vulnerability Disclosure Policy (VDP) provides clear guidelines for security researchers to conduct vulnerability discovery activities and submit discovered vulnerabilities to us.

The goal of this policy is to create a safe and collaborative environment where researchers can report vulnerabilities without fear of legal reprisal, provided their activities are in line with this policy.

2. Safe Harbor

ORE2B provides a "Safe Harbor" for security research activities. We will not initiate legal action or ask law enforcement to investigate you if you comply with this VDP in good faith. We consider security research and vulnerability disclosure activities conducted under this policy to be authorized and beneficial to the mutual security of ORE2B and its users.

To qualify for Safe Harbor, your research must:

  • Be conducted in accordance with all sections of this policy.
  • Not compromise the privacy or safety of our users or the stability of our services.
  • Not involve the destruction, modification, or exfiltration of any data you may access.
  • Cease immediately if you encounter any user data or personally identifiable information (PII).

3. Scope

This policy applies to the following ORE2B assets (the "In-Scope Assets"):

  • www.ore2b.com and all its subdomains.
  • Any APIs provided by ORE2B.

Out-of-Scope: Any service not explicitly listed above is considered out of scope. This includes, but is not limited to:

  • Third-party services or applications used by ORE2B (e.g., cloud hosting providers, payment processors).
  • ORE2B's corporate IT infrastructure, including email systems and internal office networks.
  • Social engineering (e.g., phishing, vishing) or physical attacks against ORE2B employees, offices, or data centers.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
  • Reports from automated scanners without manual verification of the vulnerability.
  • Vulnerabilities related to outdated browser versions or missing security headers that do not lead to a direct, exploitable vulnerability.

4. How to Submit a Vulnerability

If you believe you have discovered a security vulnerability in one of our In-Scope Assets, please submit your findings to us via email.

To help us triage and validate your report efficiently, please include the following information:

  • Title: A clear and concise summary of the vulnerability.
  • Description: A detailed explanation of the vulnerability and its potential impact.
  • Location: The specific URL, IP address, or asset where the vulnerability was discovered.
  • Steps to Reproduce: A step-by-step proof of concept (PoC) demonstrating how to trigger the vulnerability.
  • Supporting Materials: Any relevant screenshots, videos, logs, or scripts.
  • Contact Information: Your name or alias for recognition purposes.

Please do not include any sensitive user data (other than your own test account data) in your reports.

5. Our Commitment (What to Expect from Us)

Upon receiving your report, we are committed to the following:

  • We will provide a timely confirmation of receipt (typically within 2 business days).
  • We will conduct an initial triage of the vulnerability to determine its validity and severity.
  • We will keep you informed of the progress of our remediation efforts.
  • We will notify you when the vulnerability has been resolved.
  • We will work with you to ensure we have a complete understanding of the issue.

6. Rules of Engagement

To remain in compliance with this policy, you must adhere to the following rules:

  • DO use your own accounts or test accounts for your research. Do not attempt to access or interact with other users' accounts or data.
  • DO cease testing and report to us immediately if you encounter any user data or personally identifiable information (PII).
  • DO NOT engage in any activity that could cause a disruption to our services or degrade the user experience.
  • DO NOT destroy, corrupt, modify, or exfiltrate any data. Your research should be limited to the minimum necessary to demonstrate a proof of concept.
  • DO NOT publicly disclose any details of the vulnerability until we have confirmed that it has been remediated and have provided our consent for disclosure.

7. Rewards and Recognition

We deeply appreciate the efforts of security researchers in helping to keep our platform safe.

While we do not currently operate a formal public bug bounty program with monetary rewards, we believe in recognizing the valuable contributions of the community. For significant and well-reported vulnerabilities, we may, at our sole discretion, offer a token of appreciation.

At a minimum, with your permission, we would be pleased to publicly acknowledge your contribution on our future Security Hall of Fame page.

We thank you for your commitment to helping us secure ORE2B.

Version 1.0 Published: 01/03/2025 Updated: 23/09/2025
Questions about this document?