Skip to main content
OpasSecure Ltd

Vulnerability disclosure

Found a weakness in an OpasSecure system or product? Tell us. We welcome good-faith research and will work the report with you — acknowledgement, triage, and a fix.

ACTIVE INCIDENT? DO NOT USE THIS FORM

This channel is for researchers reporting vulnerabilities — not live breaches. If you are dealing with an active compromise, call the 24/7 incident line immediately: +254 (0)70 163 2821.

What to report — and what not to

A quick guide so your effort lands where it helps. When in doubt, report it and let us triage.

IN SCOPE
  • Authentication, authorization, or session-handling flaws
  • Injection, remote code execution, or server-side request forgery
  • Sensitive data exposure or insecure direct object references
  • Business-logic flaws with a real security impact
  • Security misconfiguration on OpasSecure-owned systems
OUT OF SCOPE / PLEASE AVOID
  • Denial-of-service, volumetric, or brute-force testing
  • Social engineering of our staff, clients, or vendors
  • Automated scanner output with no demonstrated impact
  • Reports about third-party services we do not control
  • Anything requiring access to another user’s data without consent

Good faith

Test only your own accounts and data, avoid privacy violations, and never degrade our service.

Coordinated

Give us reasonable time to remediate before any public disclosure. We will keep you updated.

Recognition

We acknowledge every valid report and are glad to credit researchers who want it.

Encrypted submissions welcome

If your report is sensitive, encrypt it. Request our PGP key and we will exchange over an encrypted channel.

Report a vulnerability

Include enough detail for us to reproduce it. We acknowledge reports and respond to the contact you provide.

Optional — a name or handle we can credit.

Where we send acknowledgement and follow-up.

Describe the issue, its impact, and clear steps to reproduce it.

Optional — your own read on the risk.

By submitting, you agree to act in good faith and give us reasonable time to remediate before any public disclosure. Prefer to encrypt? Request our PGP key.

Dealing with a live breach instead? Call the 24/7 incident line.