At OtterStorage we take security seriously. We are grateful to the researchers and customers who help us keep the service safe. This policy explains how to report a vulnerability in an orderly way and what you can expect from us.
1. How to report
Send your report to security@otterstorage.io. This channel is also published in machine-readable form at /.well-known/security.txt (following RFC 9116).
If you need to send sensitive information encrypted, let us know in your first email and we will provide a public key for the exchange.
2. What to include in the report
So we can reproduce and prioritize the issue quickly, please include where possible:
- A clear description of the vulnerability and its potential impact.
- Detailed steps to reproduce it (proof of concept, HTTP requests, screenshots or video).
- The affected component (URL, API endpoint, sample bucket, etc.) and the approximate date and time of your testing.
- Contact details for follow-up.
3. Our commitment
When you report in good faith following this policy, we commit to:
- Acknowledge receipt of your report within 3 business days.
- Perform an initial assessment and give you a triage of the issue within 10 business days.
- Keep you informed of remediation progress within reason.
- Treat your report confidentially and not share your details with third parties without your permission.
- Credit your contribution publicly if you wish, once the issue is resolved.
4. Scope
This policy covers the services operated by OtterStorage, in particular:
- The website
otterstorage.io. - The customer console
console.otterstorage.io. - The API
api.otterstorage.ioand the S3-compatible storage endpoints.
5. Out of scope
The following are not considered reportable vulnerabilities or require prior explicit authorization:
- Denial-of-service attacks (DoS/DDoS) or load/volume testing.
- Social engineering, phishing or physical attacks against our staff or facilities.
- Mass mailing (spam) or using our forms as a relay.
- Reports produced solely by automated scanners without a proof of concept demonstrating real impact.
- Missing security headers or best-practice configurations without a demonstrable attack vector.
- Vulnerabilities in third-party software without a concrete, reproducible impact on our service.
6. Rules of engagement
For your research to be covered by this policy, you must:
- Act in good faith and avoid any harm, disruption or degradation of the service.
- Use only accounts and data that you own. Do not access, modify or delete other customers' data (other tenants).
- Stop immediately if you come across personal data or confidential information belonging to third parties, and notify us without storing or disclosing it.
- Give us a reasonable period to fix the issue before disclosing any information about the vulnerability publicly.
- Not use the vulnerability beyond what is strictly necessary to demonstrate its existence.
7. Safe harbor
We consider security research carried out in accordance with this policy to be authorized and beneficial. If you follow these rules, we will not pursue or support legal action against you for your research, and we will work with you to understand and resolve the issue quickly. If a third party initiates legal action against you for activities conducted under this policy, we will make this known.
This authorization does not extend to activities that break the law, compromise other customers' privacy or degrade the service.
8. Rewards
OtterStorage does not currently run a monetary bug bounty program. We do offer our thanks and, with your consent, public recognition to those who help improve our security.
9. Contact
For anything security-related: security@otterstorage.io. For other enquiries, visit our contact page.