Vulnerability disclosure
Report a security issue.
We welcome security research and responsible disclosure. This page describes what's in scope, how to report, and what you can expect from us.
Scope.
In scope
- The Owlie product and its APIs at *.owlie.app.
- The marketing site at owlie.com.
- The Trust Center at trust.owlie.com.
Out of scope
- Social engineering of Owlie employees, contractors, or customers.
- Physical attacks against Owlie offices or infrastructure.
- Denial-of-service testing, rate-limit bypass, or volumetric attacks.
- Third-party services we depend on but do not operate. Report those to the relevant vendor.
- Findings that require a compromised endpoint, stolen credentials, or a rooted device.
How to report.
Email security@owlie.com. PGP key available on request.
Please include
- Affected component, endpoint, or URL.
- Reproduction steps, with any payloads or sample requests.
- Observed impact and, where relevant, a proof of concept.
- Suggested remediation, if known.
- How you would like to be credited, or a request to remain anonymous.
What you can expect from us.
-
Acknowledgement within one business day.
A human will confirm receipt.
-
Status update within five business days.
Triage outcome and next steps.
-
Coordinated disclosure.
We agree on a public-disclosure timeline with you before anything is published.
-
Credit if you want it.
Named on the Trust Center, or anonymous — your call.
-
No legal action against good-faith researchers who follow this policy.
Safe harbor.
Owlie will not pursue legal action against researchers who act in good faith under the terms of this policy. Good-faith research means: you stay within the in-scope surface, you do not access, modify, exfiltrate, or retain data that does not belong to you beyond what is necessary to demonstrate the issue, you do not degrade service for other users, and you give us reasonable time to remediate before public disclosure. If you are unsure whether a planned test is in scope, ask first at security@owlie.com.