Legal
Security and disclosure.
OBEXGATE is designed as a secure, enforcement-layer system. We welcome responsible disclosure of vulnerabilities that improve platform security.
Security and Vulnerability Disclosure Policy
1. Commitment
OBEXGATE is designed as a secure, enforcement-layer system. We welcome responsible disclosure of vulnerabilities that improve platform security.
2. Scope
In scope:
- obexgate.com and associated production systems
- API endpoints (classification, reporting, token handling)
- Authentication and session enforcement
- Integration points (Anthropic, Vercel, Redis, Stripe, etc.)
Out of scope:
- Denial of service testing
- Social engineering or phishing
- Automated scanning that impacts availability
- Third-party vulnerabilities not caused by our configuration
- Non-exploitable or purely informational findings
3. Safe Harbour
We will not pursue legal action against researchers acting in good faith. Good faith requires testing only your own accounts, no data exfiltration beyond minimal proof, no public disclosure before remediation, and no exploitation beyond demonstration. Safe harbour does not apply to actions that harm users or systems.
4. Reporting
Email: security@obexgate.com. Subject: Vulnerability Report - [brief description]. Include description, steps to reproduce, affected components, evidence, and contact details. Do not include sensitive data.
5. Response Commitments
- Acknowledge within 5 business days
- Provide initial assessment within 14 business days where possible
- Maintain communication during remediation
- Offer public credit upon resolution (with permission)
No monetary bounty is currently offered.
6. Coordinated Disclosure
We request 90 days before public disclosure, with earlier coordination if a vulnerability is being actively exploited.