Responsible Disclosure Policy

OTA Sync values the security of our users as well as the security of our systems. This Responsible Security Reporting Program allows you to alert OTA Sync of possible security vulnerabilities. We encourage the reporting of security vulnerabilities found in OTA Sync products.
This article explains how to submit your report as well as our guidelines.

Rules and regulations

  • Do not attempt to read, write, or access any private data to which you have access
  • Do not disclose any vulnerabilities publicly.
  • Do not run any testing that would interrupt services or degrade users' abilities to utilize them.
  • Do not use noisy automated scanners.
  • All testing must adhere to the scopes and domains outlined below.

In Scope

  • app.otasync.me
  • beta.otasync.me
  • app.otasync.me/engine
  • app.otasync.me/multiproperty
  • OTA Sync Mobile Apps

Out of Scope vulnerabilities

  • otasync.me
  • DMARC/SPF issues
  • Issues related to TLS/SSL versions
  • Distributed Denial of Service
  • Email or account enumeration
  • Any physical access issues
  • Previously reported security vulnerability
  • Social engineering
  • Phishing attacks
  • Any vulnerabilities in third-party apps or websites.
  • Any security vulnerability on the client side (e.g., browsers, plugins)

Report Submissions

We ask that you commit to ensuring our users' safety, so please give us time to analyze submissions through this program and fix any security vulnerabilities you may discover. Reports must be submitted to office@otasync.me with the following information

  1. Description of the issue
  2. Browser Version(if applicable)
  3. Scenario(if applicable)
  4. Steps to reproduce
  5. Any additional information/reference
  6. Proof of concept: scripts, screenshots, and compressed screen captures
  7. Impact of the vulnerability

We'll keep you informed about our progress throughout the process.