// Security

Responsible Security
Disclosure Policy

Last updated: June 2026

1. Our Commitment

Osapher is committed to protecting the security of our platform and the businesses that trust us with their identity data. We welcome responsible disclosure of security vulnerabilities.

2. How to Report

If you discover a security vulnerability in Osapher, please report it to:

security@osapher.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact details (optional)

We do not require you to identify yourself to report a vulnerability.

3. Our Response Commitments

  • Acknowledge receipt within 48 hours
  • Provide a status update within 7 business days
  • Notify you when the vulnerability is resolved (if contact details provided)
  • We will not pursue legal action against researchers who act in good faith, follow this policy, avoid accessing or retaining customer data, and do not disrupt our services or those of our customers.

4. Scope

In scope:

  • osapher.com
  • enterprise.osapher.com
  • app.osapher.com.au
  • onboard.osapher.com
  • Public API endpoints operated by Osapher at app.osapher.com

Out of scope:

  • Third-party infrastructure not operated by Osapher (Supabase, Railway, Vercel, Resend, OpenSanctions)
  • Credential stuffing or brute-force attacks
  • Phishing, spam, or social engineering of Osapher staff or customers
  • Denial-of-service or destructive testing of any kind
  • Automated high-volume scanning
  • Physical security testing
  • Accessing or testing systems belonging to Osapher customers

5. Responsible Disclosure Guidelines

Please:

  • Do not access, download, copy, alter, delete or exfiltrate customer data. If customer data is encountered during testing, stop immediately and report the finding without retaining any data.
  • Allow reasonable time for us to fix the issue before public disclosure
  • Not degrade platform performance or availability
  • Not exploit vulnerabilities beyond proof of concept

6. Recognition

We genuinely appreciate security researchers who help keep Osapher safe. While we do not currently operate a bug bounty programme, we acknowledge responsible disclosure publicly where researchers consent.

Contact: security@osapher.com