Responsible disclosure
Help us keep OneLocked harder to break.
If you find a legitimate security issue, send it to us responsibly. We review meaningful reports carefully and may offer discretionary rewards based on severity, clarity, and real-world impact.
What to include
Steps to reproduce
Observed impact
Affected route or surface
Safe proof-of-concept details
Priority
The types of reports we care about most.
The strongest submissions are the ones that help us verify meaningful risk quickly and responsibly.
Highest-priority findings
Authentication bypass or account takeover paths
Access to another user’s protected vault material
Privilege escalation into admin-only capabilities
Server-side handling that undermines encrypted workflows
Meaningful application issues
Injection or XSS with real account impact
Sensitive information disclosure
Broken access control in sharing or admin flows
CSRF or session weaknesses on important actions
Reports that help most
Clear reproduction steps
Observed impact and affected surface
Any proof-of-concept details you can safely share
Enough context for us to verify without guesswork
Rules of engagement
Test carefully, disclose responsibly.
We want to encourage good-faith research without creating unnecessary risk for users or the service.
Test only against accounts and data you control.
Do not access, alter, or destroy another user’s information.
Avoid denial-of-service, spam, or service disruption tactics.
Do not use social engineering or phishing against users or staff.
Give us a reasonable opportunity to investigate before public disclosure.
If you are unsure whether something is in scope, ask first.
Out of scope
A few things we are not treating as bounty targets.
This helps keep review focused on issues with a clear, product-relevant security impact.
Third-party service issues that do not originate in OneLocked itself
Purely theoretical findings with no practical impact
Low-value content issues without a security consequence
Rate-limit or brute-force speculation without a demonstrated path
Ready to report?
Send a clear, responsible report and we’ll take it seriously.
Include the affected surface, real impact, and enough detail for reproducibility. That gives us the best chance to investigate quickly and responsibly.
Contact the security team