Responsible Disclosure Policy

Introduction

What is “Responsible Disclosure”?

Responsible Disclosure — also called Vulnerability Disclosure — is the practice of reporting a security weakness directly and privately to the affected organisation, so the issue can be fixed without exposing users or systems to risk.

What is a “Security Finding”?

A security finding is any suspected or confirmed vulnerability, bug, misconfiguration, or other flaw in a system that could:

  • Allow unauthorised access to systems or data

  • Disrupt or degrade services

  • Compromise the confidentiality, integrity, or availability of information

  • Be used to cause harm or commit unlawful acts

Why This Policy Exists

At Orbem.ai, we value security and transparency — but security testing without our prior knowledge and permission is not allowed under any circumstances. This policy explains:

  • How to report a finding if you come across one unintentionally

  • How we handle such reports

  • The rules that protect both Orbem.ai and the reporter under German and EU law

1. Acceptance of Terms

By submitting any security finding (“Report”) to Orbem.ai (“Company”), you confirm you have read, understood, and accepted the terms of this Responsible Disclosure Policy (“RDP”). This constitutes a binding agreement under §§ 145 ff. BGB. If you do not agree, do not submit a Report.

2. Scope

This policy applies only to findings in:

  • Orbem.ai websites, APIs, applications, and backend systems

  • Networks and infrastructure owned or controlled by Orbem.ai

Testing of non-Orbem systems is strictly prohibited.

3. No Unauthorized Testing

  • You are not permitted to conduct any active vulnerability scanning, penetration testing, or other security testing of Orbem.ai systems without prior written authorisation.

  • Any unauthorised testing may violate German criminal law (StGB §§ 202a–202c) and will be treated as a security breach, subject to investigation and possible legal action.

  • If you happen to discover a vulnerability unintentionally (e.g., during normal use of our services), you must:

    • Stop all activity immediately — do not attempt to access or test the vulnerability further.

    • Do not access, download, or manipulate any data or systems.

    • Report it to us immediately as described in section 4.

4. How to Report

Email your finding to: [email protected]

Your report should include:

  • A clear description of the finding

  • Steps to reproduce (if already known from initial accidental discovery)

  • Affected system(s)

  • Potential impact

5. Non-Disclosure Requirement

  • You must not publish, disclose, or share any details of the finding with any third party without prior written consent from Orbem.ai.

  • This obligation has no time limit, even after a fix is implemented.

  • Any breach will be treated as unauthorised disclosure and may result in civil and/or criminal proceedings.

6. Compensation Policy

  • Orbem.ai does not provide payment for unsolicited reports.

  • Payment will only be considered if:

    1. The finding is submitted via an official Orbem.ai-approved bug bounty programme on a recognised legal platform, and

    2. All programme terms and conditions are met.

  • Participation in such a programme does not guarantee payment; awards are at Orbem.ai’s sole discretion.

7. Safe Harbor

If you:

  • Fully comply with this policy

  • Refrain from any unauthorised access or testing

  • Act in accordance with all applicable laws

Then Orbem.ai will not pursue civil claims against you for the accidental discovery and immediate reporting of a vulnerability.
Note: This does not shield you from liability for unlawful actions under German criminal law.

8. Prohibited Activities

  • Performing any testing without prior written authorisation

  • Accessing, copying, storing, or sharing personal data

  • Attempting to exploit vulnerabilities beyond the initial accidental discovery

  • Disrupting services or systems (e.g., DoS attacks)

  • Using social engineering, phishing, or deception against Orbem.ai personnel

9. Data Protection Obligations

  • Do not intentionally collect or retain any personal data.

  • If personal data is inadvertently accessed, stop immediately, do not copy or transmit it, and notify Orbem.ai right away.

  • All actions must comply with GDPR.

10. Response Commitments

  • Acknowledgement: Within 72 hours of receipt

  • Status Update: Within 10 business days

  • Resolution Timeline: Based on severity and business impact

11. Rights & Ownership

  • All reports become the property of Orbem.ai upon submission.

  • Orbem.ai may use, modify, and act upon the information without obligation to you.

12. Governing Law & Jurisdiction

This policy is governed by the laws of the Federal Republic of Germany. Exclusive jurisdiction lies with the competent courts of Munich, Germany, unless otherwise required by law.

Orbem loader logo