Vulnerability Disclosure Program
Ozone Insurance Vulnerability Program Scope and Rules
In Scope
We are primarily interested in vulnerabilities in the following categories:
- Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
- Authentication or Session Management related issues
- Remote Code Execution
- Unique issues that do not fall into explicit categories
Out of Scope
The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.
- Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
- Issues only present in old browsers/old plugins/end-of-life software browsers
- Phishing or social engineering of Real Magic / Levitate employees, users or clients
- Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
- Any attack or vulnerability that hinges on a user’s computer or email account first being compromised
Please note that you are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof-of-concept. Excessive exfiltration or downloading of Ozone Insurance data, or demanding payment in return for destruction of Ozone Insurance data, will be considered outside of the scope of this program, and Real Magic will reserve all of its rights, remedies, and actions to protect itself and its users.
Vulnerability Rewards
Our program does not currently provide any monetary rewards.
How to Report a Vulnerability
To report a vulnerability, please send an email to [email protected].