ONE is committed to ensuring the security of our customers by protecting their information. This disclosure is intended to engage the security community and researchers because we recognize that the work done by the community is important to improve security for all of our customers. This disclosure describes:
- Systems covered under the policy
- Types of research under the policy
- How to report or send us vulnerability reports
- How long we suggest security researchers wait before publicly disclosing vulnerabilities
We encourage you to contact us to report potential vulnerabilities in our systems
ONE will not engage in legal action against individuals who make a good faith effort to comply with this policy during their security research. If researchers follow the policy, ONE will consider your research to be authorized, and we will work with you to understand and resolve the issue with expedience.
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Do no commit privacy violations, degrade user experience, disrupt production systems, and engage in destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Refrain from disclosing vulnerability or sensitive details to the public before a mutually agree timeframe expires
- Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests
- Tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
ONE's disclosure policy covers the following domains:
Any service not expressly listed above, such as connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors are outside of this policy's scope and should be reported directly to the vendor. If you are unsure if a system is in scope or not, please contact us at [email protected] before starting your research.
We intend to increase our scope as we build capacity and experience with this process. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.
How to Submit a Vulnerability
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely ONE , we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
To submit a vulnerability report to ONE's product security team, please send an email to [email protected]
What we would like to see from you
In order to help us prioritize submissions, we recommend that your reports:
- Describe the location of the vulnerability
- Describe the potential impact of exploitation
- Offer a detailed description of steps needed to reproduce the vulnerability (screenshots are helpful)
- Include proof-of-concept code to help us better triage
- Include any plans or intentions for public disclosure
What you can expect from us
When you report a vulnerability to us, we commit to coordinating with you to as openly and quickly as possible.
- We will acknowledge that your report has been received in a timely manner (within 3 business days)
- After triage, we will send an expected timeline
- We commit to being transparent as possible about the existence of the vulnerability and the steps we are taking during the remediation process, to the best of our ability
- We will maintain an open dialogue to discuss issues
If we are unable to resolve communication issues or other problems, ONE may bring in a neutral third party to assist to determine how best to handle the vulnerability.
Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.