Coordinated disclosure
Found something? Tell us.
Acknowledged within 24 hours. Triaged within 5 business days. Safe-harbor for good-faith research per the policy below — no legal action when you follow it.
Policy summary
- Test only your own accountor accounts you have explicit permission to test. Don’t pivot to other users’ data.
- Don’t exfiltrate.Proof-of-concept is enough — stop as soon as you’ve confirmed the bug exists.
- Don’t DDOS or spam. No load tests, no brute-force, no social engineering of staff.
- Give us 90 daysbefore public disclosure, longer for critical issues. We’ll credit you in the changelog when you want it.
- In-scope: orvica.co + all subdomains, the Orvica iOS/Android apps once they ship, the Volt API.
- Out of scope: third-party services (Stripe, Plaid, Supabase, Resend, Twilio), DKIM/DMARC reports, missing security headers without an attached exploit, self-XSS, missing rate limits on non-sensitive endpoints.
Prefer encrypted email?
security@orvica.co — PGP key available on request. For time-sensitive issues (account takeover, data exposure), use email + cc hello@orvica.co.