NEURAL
PATCH.

What You Are Authorized to Test

This policy applies to good-faith security research conducted against Opsionic-owned systems and web properties that are publicly accessible and intended for user interaction.

If you are unsure whether a target is in-scope, email security@opsionic.com before testing. Anything not explicitly in-scope is treated as out-of-scope.

Good-Faith Protection

If you follow this policy, act in good faith, and avoid harm, Opsionic will not initiate legal action against you for unauthorized access claims arising solely from your security testing.

• Good faith means: minimal access needed to prove the issue, no persistence, no data extraction, and prompt reporting.
• Safe harbor is conditional: it does not apply if you violate the rules below, cause harm, or act maliciously.
• No blanket immunity: this policy does not prevent law enforcement involvement for criminal activity.

This safe harbor is intended to encourage responsible research — not to authorize disruption, data theft, or extortion.

Do No Harm

To qualify for safe harbor, you must comply with all of the following:

• No data access: do not access, download, modify, delete, or disclose personal data or client data.
• No disruption: no denial-of-service, volumetric testing, traffic floods, or degradation attempts.
• No social engineering: no phishing, vishing, impersonation, or coercion of staff/clients.
• No physical attacks: no attempts to access facilities, devices, networks, or hardware.
• No persistence: do not plant backdoors, create accounts, or maintain access beyond proof.
• No public disclosure first: give us a reasonable window to fix before publishing details.
• No extortion: do not demand payment to “not disclose”. (This instantly voids safe harbor.)

If your testing could affect real users or production availability, stop and contact us first.

We Won’t Accept These

• Reports based solely on outdated software versions without demonstrable exploitability.
• Self-XSS, clickjacking on non-sensitive pages, or missing best-practice headers without real impact.
• Brute-force attacks, credential stuffing, or login attempts using leaked credentials.
• Any testing against third-party systems not owned by Opsionic (unless explicitly authorized in writing).

Initiate Report

Send your report to our security desk. If possible, include a short proof-of-concept that demonstrates impact without exposing data.

Please remove or redact personal data from screenshots/logs. If sensitive data is unavoidable to prove impact, disclose minimally and explain what was exposed.

What You Can Expect

• Acknowledgement: we aim to confirm receipt within a reasonable time.
• Triage: we assess severity, scope, and reproducibility.
• Remediation: we prioritize fixes based on risk and exploitability.
• Disclosure: coordinated public disclosure can occur after remediation or after a reasonable window agreed with the reporter.

Some vulnerabilities require coordination with third-party vendors; this may extend timelines. We will communicate status updates when reasonably possible.

Important Notes

• This policy does not grant you rights to access data you do not own, or to violate privacy laws.
• Reverse engineering is permitted only to the extent necessary to identify the vulnerability and only within scope.
• You must comply with applicable laws. If laws conflict with this policy, applicable law controls.

For contractual terms, see Terms & Conditions.

Respect + Precision

We appreciate researchers who help improve the security of the automation ecosystem. If you follow the rules, we will treat you fairly.

Security contact: security@opsionic.com