OYO Responsible Disclosure
OYO takes all the necessary efforts to mitigate all the bugs & shortfalls in our systems. We are open to receiving positive feedback from independent security groups and individual researchers to study it across all platforms and help make OYO technologically safer for our customers. If you discover any such shortfall, we would appreciate a responsible approach in responsibly investigating and reporting it to us so that we can address it as soon as possible. We would further urge you to refrain
from any frivolous reporting. For Security related bugs/vulnerabilities, we offer reward and recognitions after due review and validation. Though we welcome reporting of non-security issues at https://www.oyorooms.com/support/home, please note that only genuine security issues are eligible for recognition program.
This Policy applies to all of OYO’s group companies/affiliates/subsidiaries (“OYO Group”) including but not limited to all of its domains subsisting worldwide.
In scope vulnerabilities
Security issues that typically would be eligible (though not necessarily in all cases) include:
Out of scope vulnerabilities
Things that are not eligible for reward include:
Guidelines & Rules
Participating in OYO’s Responsible Disclosure program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:
In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.
How to report a bug?
Allow us up to 7 days to respond before sending another email on the matter.
Public Disclosure Policy
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”
The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to firstname.lastname@example.org (SUBJECT: SUSPECTED VULNERABILITY ON OYO) (without changing the subject line else the mail shall be ignored). The mail should strictly follow the format below:
Reporter Full Name:
Any Publicly Identifiable profile(LinkedIn, Github etc.):