Responsible Disclosure · Reward

Find a way through the closed internet. We'll reward you for telling us first.

entityOS runs a closed-internet architecture — IP allowlisting, mutual TLS, and self-sovereign identity. If you can break the assumptions that hold it together, we want to hear from you, in good faith, before anyone else does.

Report a vulnerability See reward tiers

Why we run a reward program

Researchers make a closed system stronger.

Good faith welcome

Test within scope and we treat you as a partner, not a threat. Our safe-harbour policy has your back.

Fast response

Every valid report is acknowledged quickly and tracked through to a verified fix.

Real rewards

In-scope, valid findings earn a reward scaled to severity, exploitability and real-world impact.

Public recognition

With your consent, we credit the researchers who help us harden the platform.

What you can test

The attack surface in scope.

entityOS is built from a small number of interlocking security layers. Findings against any of these — especially anything that bypasses an assumption the architecture relies on — are exactly what this program exists for.

Closed-internet edge

IP allowlisting, network isolation and the staged access model that gates entry to the platform.

Mutual TLS & PKI

X.509 certificate issuance, validation and the AWS Private CA / local-CA signing flows behind mTLS.

Self-sovereign identity

KERI / ACDC credential handling, key-state validation and any path to forging or replaying identity.

Serverless factory code

Lambda factories, API Gateway endpoints and the IAM boundaries that constrain each function.

Data & allowlist storage

S3 object access, allowlist persistence and audit trails — anything enabling silent bypass or tampering.

Web & console surfaces

entityos.io and the console authentication surfaces, including session, registration and certificate flows.

Know the boundaries

What earns a reward — and what doesn't.

Out of scope

Generally not rewarded

  • Volumetric or rate-limit denial of service
  • Social engineering of staff, users or partners
  • Physical attacks against infrastructure or offices
  • Automated scanner output with no working proof of concept
  • Outdated dependency reports with no demonstrated exploit path
  • Missing best-practice headers or clickjacking on non-sensitive pages

In scope

What we want to see

  • Authentication or authorisation bypass
  • IP-allowlist or mutual-TLS bypass
  • Certificate forgery or validation weaknesses
  • SSI credential forgery, replay or key-state manipulation
  • Remote code execution or IAM privilege escalation
  • Exposure of sensitive data across tenant boundaries

When in doubt, report it. We would far rather review an out-of-scope report than miss a real one. Borderline findings with clear impact are always considered on their merits.

Reward tiers

Paid by impact, not by volume.

Each valid report is triaged against severity, how exploitable it is in practice, and the data or systems it puts at risk. The ranges below are guidelines — the final reward is set at entityOS's discretion.

Severity Representative impact Indicative reward
Critical Allowlist or mTLS bypass, remote code execution, SSI credential forgery, or full cross-tenant data exposure. A$600 – A$1,000
High Authentication bypass, IAM privilege escalation, or a certificate validation flaw with a clear exploit path. A$400 – A$600
Medium Stored XSS in a sensitive context, IDOR exposing limited data, or a meaningful logic flaw. A$200 – A$400
Low Minor information disclosure or a non-sensitive misconfiguration with limited real-world impact. Recognition + A$50 – A$200

Ranges are indicative only. Final amounts depend on severity, exploitability, report quality and impact, and are determined at entityOS's discretion. A clear, reproducible report with a working proof of concept is always rewarded more highly than the same issue described loosely.

What happens next

From report to reward.

01
Report
Complete a report with clear reproduction steps and, where possible, a proof of concept.
You
02
Acknowledge
We confirm receipt and assign a tracking reference so you always know where your report stands.
≤ 2 business days
03
Triage
We reproduce the issue, confirm it is in scope and rate its severity against real-world impact.
Validate
04
Remediate
We fix and verify the issue, keeping you informed through to deployment of the patch.
Fix & verify
05
Reward & credit
We pay the reward and, with your consent, credit you for helping harden the platform.
Reward

Rules of engagement

Test safely, and we'll back you.

Stay in scope

Only test the systems listed above. If you're unsure whether something is in scope, ask first.

Minimise impact

Demonstrate, don't exploit. Stop at proof of concept and never exfiltrate, alter or destroy data.

No denial of service

Don't run volumetric, load or stress testing against production systems or users.

Protect other people

Never access, modify or store another user's data. Use your own test account wherever possible.

Allow time to fix

Give us a reasonable window — typically 90 days — to remediate before any public disclosure.

Safe harbour

Good-faith research that follows these rules will not lead to legal action from entityOS.

Report an issue

Found something? Tell us.

Include in your report

  • The affected product, URL or endpoint
  • A summary of the threat and its potential impact
  • Clear, detailed steps to reproduce
  • A proof of concept, where you have one
  • How we can reach you for follow-up and reward

Submit through our form

Reports go through a single secure form — no email needed. It walks you through everything we need to triage and reward your finding.

Open the report form →

Based in Australia · ibCom

If you find a security issue with our cloud services, check it with us — and if it's valid, we'll reward you for it. The earlier and clearer the report, the better for everyone.

Open the report form