oklido
Help CenterSign In

Vulnerability Disclosure Policy

oklido is committed to the security of our customers and welcomes reports of potential security vulnerabilities.

Reporting a Vulnerability

How to Report

Email: security@oklido.com

PGP Key: Available on request for encrypted communications

What to Include

Please include:

  1. Description of the vulnerability
  2. Steps to reproduce the issue
  3. Potential impact assessment
  4. Any proof-of-concept code or screenshots
  5. Your contact information (optional, but helpful)

Our Commitment

Response Timeline

StageTimeline
AcknowledgmentWithin 24 hours
Initial assessmentWithin 5 business days
Status updateEvery 7 days
Resolution target90 days (depending on severity)

What We Promise

  • Acknowledge all reports promptly
  • Investigate thoroughly and fairly
  • Keep you informed of our progress
  • Credit you in our security acknowledgments (if desired)
  • Not pursue legal action against good-faith researchers

Responsible Disclosure Guidelines

Please follow these guidelines:

Do

  • Report vulnerabilities promptly
  • Give us reasonable time to fix issues before disclosure
  • Avoid accessing or modifying other users' data
  • Act in good faith
  • Delete any data you accessed during research

Don't

  • Access, modify, or delete other users' data
  • Perform denial of service attacks
  • Send spam or phishing emails
  • Use social engineering against our staff
  • Publicly disclose before we've had time to fix

Scope

In Scope

  • oklido web application (oklido.com)
  • oklido API (api.oklido.com)
  • oklido help site (help.oklido.com)
  • Authentication and authorisation issues
  • Data exposure vulnerabilities
  • Business logic flaws

Out of Scope

  • Third-party services we use (Auth0, AWS, etc.)
  • Social engineering attacks
  • Physical security
  • Denial of service attacks
  • Issues already known to us
  • Issues in outdated software versions

Severity Levels

Critical

  • Remote code execution
  • SQL injection
  • Authentication bypass
  • Access to all user data

High

  • Significant data exposure
  • Privilege escalation
  • Stored XSS

Medium

  • Reflected XSS
  • CSRF
  • Limited data exposure

Low

  • Information disclosure
  • Missing security headers
  • Best practice deviations

Recognition

Hall of Fame

We maintain an optional security researcher acknowledgments page.

If you'd like to be credited:

  • Provide your name (or handle)
  • Provide a link (optional)
  • We'll add you after the fix is deployed

Bug Bounty

We currently operate an informal bug bounty program. Significant findings may receive:

  • Recognition
  • oklido credit
  • Gift cards

Note: This is discretionary and not guaranteed.

Legal Safe Harbor

oklido will not pursue legal action against researchers who:

  • Act in good faith
  • Follow this policy
  • Report findings promptly
  • Avoid harm to users or systems

Contact

Security Team: security@oklido.com

Response: Within 24 hours

Security.txt

For automated discovery, our security.txt file is available at:

https://oklido.com/.well-known/security.txt

Last updated: January 2026