Ollyo - Responsible Disclosure Program

                                         .-=+*###%%##*+=-:                               
                                      :+#@@@@@@@@@@@@@@@@@@@%*-.                          
                                   :*@@@@@@@@@@@@@@@@@@@@@@@@@@@#=                        
                                 =%%##**++++*##%@@@@@@@@@@@@@@@@@@@*.                     
                              :.::               .-+#@@@@@@@@@@@@@@@@*                    
                          .=*%:                       :+#@@@@@@@@@@@@@%-                   
                        -#@@#.                           .+%@@@@@@@@@@@@=                  
                      +%@@@#                                -%@@@@@@@@@@@+                 
                    =%@@@@@.                                  =@@@@@@@@@@@-                
                  .#@@@@@@+                                    .#@@@@@@@@@%                
                 :%@@@@@@@.                                      *@@@@@@@@@=               
                :@@@@@@@@%                                        +@@@@@@@@#               
               .%@@@@@@@@#                                         #@@@@@@@%               
               *@@@@@@@@@#                                         .@@@@@@@#               
              .@@@@@@@@@@@                                          +@@@@@@+               
              +@@@@@@@@@@@-                                         :@@@@@@.               
              *@@@@@@@@@@@%                                          @@@@@=                
              #@@@@@@@@@@@@*                                         @@@@*                  
              *@@@@@@@@@@@@@+                                       .@@@*                   
              -@@@@@@@@@@@@@@#.                                     -@@=                    
               %@@@@@@@@@@@@@@%=                                    ##.                     
               -@@@@@@@@@@@@@@@@%-                                 ::                       
                *@@@@@@@@@@@@@@@@@%=.                            -+                        
                 *@@@@@@@@@@@@@@@@@@@#=:                     .-*@#                         
                  +@@@@@@@@@@@@@@@@@@@@@@#+=-:.       ..:-+*%@@@*                           
                   -%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%-                            
                     +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+                             
                       =%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%+.                              
                         :*%@@@@@@@@@@@@@@@@@@@@@@@@@@@%*-                                 
                            :=*%@@@@@@@@@@@@@@@@@@@%#=:                                   
                                .:=+*##%%%%%##*+=:.

At Ollyo, we recognize the importance of information security in protecting our customers, systems, and data. To ensure our platforms and products remain secure, we encourage responsible vulnerability disclosure through our Responsible Disclosure Program. This program offers security researchers and enthusiasts a formal channel to report potential vulnerabilities in a responsible and safe manner. Your invaluable contribution will empower us to prevent security incidents and mitigate risks before they can be exploited by malicious actors.

𒆜 REPORTING A VULNERABILITY

If you believe you’ve discovered a security issue, please follow these steps:

✦ Submit a report by emailing us at security[At]ollyo.com

✦ Include the following details in your report:

    - A short description of the vulnerability
    - Steps to reproduce it
    - A summary of the potential impact
    - Relevant screenshots, videos, or logs

✦ We will acknowledge your submission within 3 to 7 working days

𒆜 IN-SCOPE

✦ Domains, Including Sub-domains:

    - ollyo.com
    - joomshaper.com
    - themeum.com
    - tutorlms.com
    - droip.com
    - icofont.com

✦ Plugins, Themes:

- Droip, Tutor LMS, SP Page Builder and others

✦ API Security

- Authentication, Access control, Data Exposure

✦ We're particularly interested in P1,P2 and P3

𒆜 OUT-OF-SCOPE:

✦ Offensive Tactics and Vulnerabilities Not Accepted:

    - Informative/P4/Limited Scope
    - Test/Staging Environments
    - DoS/DDoS Attacks
    - Spamming/Brute Force Attacks
    - Social Engineering Attacks
    - Third-party Exploitation
    - WP REST, XML-RPC, TLS/SSL, HSTS and Others
    - Requiring Extensive User Interaction

𒆜 PROGRAM RULES

✦ Do not exploit vulnerabilities beyond proof of concept
✦ Avoid disrupting our systems or services
✦ Respect privacy: Do not access, modify, or delete data
✦ Do not publicly disclose vulnerabilities until they are resolved by Ollyo

𒆜 RECOGNITION AND HALL OF FAME

We sincerely appreciate your dedication to enhancing the security of Ollyo. The Ollyo Hall of Fame is a prestigious recognition honoring those who contribute to our mission by reporting vulnerabilities. We especially encourage reports of vulnerabilities highlighted in the OWASP Top 10, SANS/CWE Top 25, or MITRE ATT&CK frameworks.

Depending on the severity of the reported vulnerability, you may earn public recognition on our Hall of Fame page, celebrating your vital role in our commitment to security.

𒆜 LEGAL SAFE HARBOR

✦ When reporting vulnerabilities in compliance with this program, you can be confident that Ollyo considers this activity authorized and you will not face legal action if acting in good faith.

𒆜 FREQUENTLY ASKED QUESTIONS (FAQ)

Q1: What should I do if I discover a vulnerability outside of the scope?

If you discover a vulnerability that falls outside of our Responsible Disclosure Program’s defined scope, we encourage you to still report it to us. While such vulnerabilities may not qualify for public recognition or listing in the Hall of Fame, your report can still help us improve our systems and better protect our users. for further guidance.

Q2: Does Ollyo offer monetary rewards for vulnerability reports?

No, Ollyo does not provide financial compensation or bounties for vulnerability reports at this time. Instead, we recognize and appreciate your efforts through our Hall of Fame. This public recognition honors individuals who help improve the security of our platforms by responsibly disclosing vulnerabilities. Earning a place in the Hall of Fame is a prestigious acknowledgment of your contribution to safeguarding our systems and data.

Q3: Can I publicly disclose the vulnerability?

No, we request that you do not publicly disclose any vulnerabilities until they have been fully resolved by Ollyo. Responsible disclosure ensures that we have the time to address the issue and protect our systems and users before the vulnerability becomes public knowledge. Once the issue is fixed, you are welcome to discuss it, and we will acknowledge your contribution in our Hall of Fame.

Q4: How long does it take for Ollyo to respond to my vulnerability report?

We aim to acknowledge receipt of your report within 3 to 7 working days. Our security team will review your submission and provide updates on our investigation. Please note that the time taken to resolve an issue can vary depending on its complexity. If you haven’t received a response within 7 working days after submitting your report, please feel free to follow up by emailing us again.

Q5: Can I report multiple vulnerabilities at once?

Yes, you can submit multiple vulnerabilities in a single report or across several reports. We encourage you to provide as much detail as possible for each vulnerability, especially if they are related. However, please avoid bundling unrelated issues in a single report for clarity and efficiency.

Q6: What happens if someone else reports the same vulnerability I found?

If another researcher has already reported the same vulnerability, we will still acknowledge your report, but only the first valid submission will be eligible for recognition in the Hall of Fame. We encourage you to submit your findings as soon as possible to ensure they are considered.