Security & Responsible Disclosure

1. Our Commitment

OrynIQ connects to enterprise ServiceNow environments and handles sensitive organizational data. Security is not an afterthought — it is a core responsibility. We are committed to responding to legitimate vulnerability reports promptly, transparently, and without legal action against researchers acting in good faith.

If you believe you have found a security vulnerability in OrynIQ, we want to hear from you.

2. How to Report

Send vulnerability reports by email. Do not open a public GitHub issue, post on social media, or disclose to a third party before we have had a reasonable opportunity to investigate and respond.

3. Scope

The following systems and assets are in scope for responsible disclosure:

Vulnerability classes of particular interest:

• Authentication bypass or session fixation
• Cross-tenant data access (IDOR, broken object-level authorization)
• ServiceNow credential exposure or exfiltration
• Injection vulnerabilities (SQL, command, SSRF)
• Privilege escalation across roles (customer_viewer → global_admin, etc.)
• Broken access controls on AI agent write-back actions
• Sensitive data exposure in API responses or logs

4. Out of Scope

The following are out of scope and will not be accepted as valid reports:

• Denial of service (DoS/DDoS) attacks of any kind
• Social engineering or phishing of OrynIQ personnel
• Physical security attacks
• Vulnerabilities in third-party services (Cloudflare, Anthropic, Resend) — report these to the respective vendor
• Automated scanner output without a demonstrated impact
• Missing security headers with no demonstrated exploitability (e.g., missing HSTS when Cloudflare already enforces it)
• Rate limiting on non-sensitive endpoints
• Self-XSS requiring the attacker to be logged in as the victim
• Bugs requiring physical access to the user's device

5. What to Include in Your Report

A good report helps us reproduce and triage quickly. Please include:

• Description — what the vulnerability is and what it allows an attacker to do
• Steps to reproduce — a clear, step-by-step reproduction path
• Impact — what data or functionality is at risk, and for which users
• Evidence — screenshots, request/response captures, or a proof-of-concept (PoC); redact any sensitive data before sending
• Environment — browser, OS, or tool used if relevant
• Suggested fix — optional but appreciated

6. What to Expect

We will keep you informed throughout the process. If we need more time for a complex fix, we will communicate the revised timeline before the agreed disclosure date.

7. Safe Harbor

OrynIQ will not pursue civil or criminal action against researchers who:

• Discover and report vulnerabilities in good faith under this policy
• Do not access, modify, or destroy data belonging to other customers
• Do not disrupt platform availability or degrade service for other users
• Report findings to us before any public disclosure
• Comply with applicable law throughout their research

If you are uncertain whether a planned test falls within this policy, contact us first and ask. We would rather answer a question in advance than deal with an incident after the fact.

8. Acknowledgements

We recognise researchers who responsibly disclose valid security findings. With your permission, your name or handle will be listed here.

No acknowledgements yet — be the first.