Security & Responsible Disclosure
Report a vulnerability: security@opviva.com
1. Reporting a vulnerability
Found a security issue in Opviva? Email security@opviva.com with enough detail for us to reproduce it — the affected URL or endpoint, the steps, and any proof-of-concept. Please report privately and give us reasonable time to fix it before any public disclosure.
2. Our commitment
We acknowledge reports within 48 hours, keep you updated as we investigate, and credit reporters who want recognition once a fix ships. We will not pursue legal action against researchers who follow this policy in good faith.
3. Safe harbor
Testing that is limited to your own account and stays within the rules below is authorized. Do not access, modify, or delete data that isn't yours; do not degrade the service for other users; do not run automated scans, brute-force, or denial-of-service; and stop and report as soon as you've confirmed a vulnerability.
4. Out of scope
Reports that require physical access, social engineering of our staff or users, spam or best-practice suggestions without a demonstrable impact, and findings only reproducible on outdated browsers are generally out of scope. When in doubt, send it anyway and we'll assess.
5. Machine-readable policy
This policy is referenced by our security.txt at /.well-known/security.txt (RFC 9116). The disclosure contact of record is security@opviva.com.
For non-security questions, contact support.
