.-=+*###%%##*+=-: :+#@@@@@@@@@@@@@@@@@@@%*-. :*@@@@@@@@@@@@@@@@@@@@@@@@@@@#= =%%##**++++*##%@@@@@@@@@@@@@@@@@@@*. :.:: .-+#@@@@@@@@@@@@@@@@* .=*%: :+#@@@@@@@@@@@@@%- -#@@#. .+%@@@@@@@@@@@@= +%@@@# -%@@@@@@@@@@@+ =%@@@@@. =@@@@@@@@@@@- .#@@@@@@+ .#@@@@@@@@@% :%@@@@@@@. *@@@@@@@@@= :@@@@@@@@% +@@@@@@@@# .%@@@@@@@@# #@@@@@@@% *@@@@@@@@@# .@@@@@@@# .@@@@@@@@@@@ +@@@@@@+ +@@@@@@@@@@@- :@@@@@@. *@@@@@@@@@@@% @@@@@= #@@@@@@@@@@@@* @@@@* *@@@@@@@@@@@@@+ .@@@* -@@@@@@@@@@@@@@#. -@@= %@@@@@@@@@@@@@@%= ##. -@@@@@@@@@@@@@@@@%- :: *@@@@@@@@@@@@@@@@@%=. -+ *@@@@@@@@@@@@@@@@@@@#=: .-*@# +@@@@@@@@@@@@@@@@@@@@@@#+=-:. ..:-+*%@@@* -%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%- +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+ =%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%+. :*%@@@@@@@@@@@@@@@@@@@@@@@@@@@%*- :=*%@@@@@@@@@@@@@@@@@@@%#=: .:=+*##%%%%%##*+=:.
At Ollyo, we recognize the importance of information security in protecting our customers, systems, and data. To ensure our platforms and products remain secure, we encourage responsible vulnerability disclosure through our Responsible Disclosure Program. This program offers security researchers and enthusiasts a formal channel to report potential vulnerabilities in a responsible and safe manner. Your invaluable contribution will empower us to prevent security incidents and mitigate risks before they can be exploited by malicious actors.
If you believe you’ve discovered a security issue, please follow these steps:
✦ Submit a report by emailing us at security[At]ollyo.com
✦ Include the following details in your report:
- A short description of the vulnerability
- Steps to reproduce it
- A summary of the potential impact
- Relevant screenshots, videos, or logs
✦ We will acknowledge your submission within 3 to 7 working days
✦ Domains, Including Sub-domains:
- ollyo.com
- joomshaper.com
- themeum.com
- tutorlms.com
- droip.com
- icofont.com
✦ Plugins, Themes:
- Droip, Tutor LMS, SP Page Builder and others
✦ API Security
- Authentication, Access control, Data Exposure
✦ We're particularly interested in P1,P2 and P3
✦ Offensive Tactics and Vulnerabilities Not Accepted:
- Informative/P4/Limited Scope
- Test/Staging Environments
- DoS/DDoS Attacks
- Spamming/Brute Force Attacks
- Social Engineering Attacks
- Third-party Exploitation
- WP REST, XML-RPC, TLS/SSL, HSTS and Others
- Requiring Extensive User Interaction
✦ Do not exploit vulnerabilities beyond proof of concept
✦ Avoid disrupting our systems or services
✦ Respect privacy: Do not access, modify, or delete data
✦ Do not publicly disclose vulnerabilities until they are resolved by Ollyo
We sincerely appreciate your dedication to enhancing the security of Ollyo. The Ollyo Hall of Fame is a prestigious recognition honoring those who contribute to our mission by reporting vulnerabilities. We especially encourage reports of vulnerabilities highlighted in the OWASP Top 10, SANS/CWE Top 25, or MITRE ATT&CK frameworks.
Depending on the severity of the reported vulnerability, you may earn public recognition on our Hall of Fame page, celebrating your vital role in our commitment to security.
✦ When reporting vulnerabilities in compliance with this program, you can be confident that Ollyo considers this activity authorized and you will not face legal action if acting in good faith.