Security - How Onwynd Protects Your Data

Security at Onwynd

The security of our users' data is our highest priority. We appreciate the security research community's efforts in helping us maintain the security and privacy of our platform.

This policy outlines our commitment to working with security researchers to identify and address vulnerabilities responsibly.

Responsible Vulnerability Disclosure

We encourage security researchers to report potential vulnerabilities responsibly. If you believe you've discovered a security issue, we want to hear from you.

What We Ask:

Report vulnerabilities privately to our security team
Give us reasonable time to investigate and address the issue
Do not exploit vulnerabilities beyond minimal testing
Do not access, modify, or delete user data
Do not publicly disclose the vulnerability before we've addressed it

In Scope

The following assets and vulnerability types are in scope:

Target Assets:

→*.onwynd.com domains
→Mobile applications (iOS & Android)
→API endpoints
→Web application infrastructure

Vulnerability Types:

→SQL Injection
→Cross-Site Scripting (XSS)
→Authentication bypass
→Server-Side Request Forgery (SSRF)
→Broken access controls
→Remote code execution
→Sensitive data exposure

Out of Scope:

The following are explicitly out of scope and should not be tested:

•Social engineering attacks (phishing, vishing, etc.)
•Physical security testing
•Denial of Service (DoS/DDoS) attacks
•Spam or spamming vulnerabilities
•Clickjacking on pages with no sensitive actions
•Issues in third-party applications not controlled by Onwynd

How to Report a Vulnerability

Reporting Process:

Email Our Security Team

Send your report to security@onwynd.com

Use PGP encryption for sensitive details (key available on request)

Include These Details

Vulnerability description, steps to reproduce, impact assessment, proof of concept

The more detailed, the faster we can respond

Use This Subject Line

[Security Report] Brief Description

Example: [Security Report] SQL Injection in Login Form

Await Confirmation

We'll acknowledge receipt within 48 hours

You'll receive a tracking number for your report

What to Include in Your Report:

Vulnerability Type

SQL Injection, XSS, etc.

Affected Asset

URL, API endpoint, or app version

Steps to Reproduce

Detailed, numbered steps

Impact Assessment

What data is at risk?

Proof of Concept

Screenshots, videos, or code

Suggested Fix

Optional but appreciated

Our Response Process

After you report a vulnerability, here's what happens:

Within 48 hours

Initial Response

We acknowledge receipt and assign a tracking number

Within 7 days

Triage & Validation

We validate the vulnerability and assess severity

7-90 days

Remediation

Critical: 7 days | High: 30 days | Medium: 90 days

After fix

Notification & Credit

We notify you and offer public recognition (if desired)

Safe Harbor

When conducting vulnerability research according to this policy, we consider your activities authorized and will not pursue legal action.

Legal Protection:

If you follow this policy, Onwynd commits to:

Not pursue legal action against you
Not report you to law enforcement
Work with you to understand and resolve the issue
Publicly acknowledge your contribution (with your permission)

Important Note:

This safe harbor only applies to research conducted in good faith following this policy. Malicious exploitation, data theft, or extortion attempts are not covered and will be prosecuted to the fullest extent of the law.

Recognition & Rewards

We value the contributions of security researchers and recognise valid vulnerability reports based on their impact. Rewards are assessed at our discretion and communicated directly with the reporter.

Critical

Direct system compromise or data breach potential

High

Significant risk to users or platform integrity

Medium

Limited impact, no direct user data exposure

Additional Recognition:

Public acknowledgment in our Hall of Fame (with permission)
Swag and Onwynd merchandise
Extended free subscription to our premium services
Priority consideration for security positions

Contact Security Team

security@onwynd.com

Security at Onwynd

The security of our users' data is our highest priority. We appreciate the security research community's efforts in helping us maintain the security and privacy of our platform.

This policy outlines our commitment to working with security researchers to identify and address vulnerabilities responsibly.

Responsible Vulnerability Disclosure

We encourage security researchers to report potential vulnerabilities responsibly. If you believe you've discovered a security issue, we want to hear from you.

What We Ask:

Report vulnerabilities privately to our security team
Give us reasonable time to investigate and address the issue
Do not exploit vulnerabilities beyond minimal testing
Do not access, modify, or delete user data
Do not publicly disclose the vulnerability before we've addressed it

In Scope

The following assets and vulnerability types are in scope:

Target Assets:

→*.onwynd.com domains
→Mobile applications (iOS & Android)
→API endpoints
→Web application infrastructure

Vulnerability Types:

→SQL Injection
→Cross-Site Scripting (XSS)
→Authentication bypass
→Server-Side Request Forgery (SSRF)
→Broken access controls
→Remote code execution
→Sensitive data exposure

Out of Scope:

The following are explicitly out of scope and should not be tested:

•Social engineering attacks (phishing, vishing, etc.)
•Physical security testing
•Denial of Service (DoS/DDoS) attacks
•Spam or spamming vulnerabilities
•Clickjacking on pages with no sensitive actions
•Issues in third-party applications not controlled by Onwynd

How to Report a Vulnerability

Reporting Process:

Email Our Security Team

Send your report to security@onwynd.com

Use PGP encryption for sensitive details (key available on request)

Include These Details

Vulnerability description, steps to reproduce, impact assessment, proof of concept

The more detailed, the faster we can respond

Use This Subject Line

[Security Report] Brief Description

Example: [Security Report] SQL Injection in Login Form

Await Confirmation

We'll acknowledge receipt within 48 hours

You'll receive a tracking number for your report

What to Include in Your Report:

Vulnerability Type

SQL Injection, XSS, etc.

Affected Asset

URL, API endpoint, or app version

Steps to Reproduce

Detailed, numbered steps

Impact Assessment

What data is at risk?

Proof of Concept

Screenshots, videos, or code

Suggested Fix

Optional but appreciated

Our Response Process

After you report a vulnerability, here's what happens:

Within 48 hours

Initial Response

We acknowledge receipt and assign a tracking number

Within 7 days

Triage & Validation

We validate the vulnerability and assess severity

7-90 days

Remediation

Critical: 7 days | High: 30 days | Medium: 90 days

After fix

Notification & Credit

We notify you and offer public recognition (if desired)

Safe Harbor

When conducting vulnerability research according to this policy, we consider your activities authorized and will not pursue legal action.

Legal Protection:

If you follow this policy, Onwynd commits to:

Not pursue legal action against you
Not report you to law enforcement
Work with you to understand and resolve the issue
Publicly acknowledge your contribution (with your permission)

Important Note:

Recognition & Rewards

We value the contributions of security researchers and recognise valid vulnerability reports based on their impact. Rewards are assessed at our discretion and communicated directly with the reporter.

Critical

Direct system compromise or data breach potential

High

Significant risk to users or platform integrity

Medium

Limited impact, no direct user data exposure

Additional Recognition:

Public acknowledgment in our Hall of Fame (with permission)
Swag and Onwynd merchandise
Extended free subscription to our premium services
Priority consideration for security positions

Contact Security Team

security@onwynd.com

Security Policy

Security at Onwynd

Responsible Vulnerability Disclosure

What We Ask:

In Scope

Target Assets:

Vulnerability Types:

Out of Scope:

How to Report a Vulnerability

Reporting Process:

Email Our Security Team

Include These Details

Use This Subject Line

Await Confirmation

What to Include in Your Report:

Our Response Process

Initial Response

Triage & Validation

Remediation

Notification & Credit

Safe Harbor

Legal Protection:

Recognition & Rewards

Critical

High

Medium

Additional Recognition:

Security Policy

Security at Onwynd

Responsible Vulnerability Disclosure

What We Ask:

In Scope

Target Assets:

Vulnerability Types:

Out of Scope:

How to Report a Vulnerability

Reporting Process:

Email Our Security Team

Include These Details

Use This Subject Line

Await Confirmation

What to Include in Your Report:

Our Response Process

Initial Response

Triage & Validation

Remediation

Notification & Credit

Safe Harbor

Legal Protection:

Recognition & Rewards

Critical

High

Medium

Additional Recognition: