SECURITY RESEARCHERS
Vulnerability disclosure
Found a weakness in an OpasSecure system or product? Tell us. We welcome good-faith research and will work the report with you — acknowledgement, triage, and a fix.
This channel is for researchers reporting vulnerabilities — not live breaches. If you are dealing with an active compromise, call the 24/7 incident line immediately: +254 (0)70 163 2821.
SCOPE
What to report — and what not to
A quick guide so your effort lands where it helps. When in doubt, report it and let us triage.
- Authentication, authorization, or session-handling flaws
- Injection, remote code execution, or server-side request forgery
- Sensitive data exposure or insecure direct object references
- Business-logic flaws with a real security impact
- Security misconfiguration on OpasSecure-owned systems
- Denial-of-service, volumetric, or brute-force testing
- Social engineering of our staff, clients, or vendors
- Automated scanner output with no demonstrated impact
- Reports about third-party services we do not control
- Anything requiring access to another user’s data without consent
Good faith
Test only your own accounts and data, avoid privacy violations, and never degrade our service.
Coordinated
Give us reasonable time to remediate before any public disclosure. We will keep you updated.
Recognition
We acknowledge every valid report and are glad to credit researchers who want it.
SECURE CONTACT
Encrypted submissions welcome
If your report is sensitive, encrypt it. Request our PGP key and we will exchange over an encrypted channel.
SUBMIT A REPORT
Report a vulnerability
Include enough detail for us to reproduce it. We acknowledge reports and respond to the contact you provide.
Dealing with a live breach instead? Call the 24/7 incident line.