Bug Bounty Program

Optimoz Vulnerability Reward Program (VRP)

Last Updated: 01/15/2026

Program Overview

At Optimoz, the security of our users and their data is our top priority. We recognize the vital role the information security community plays in keeping the internet safe. The Optimoz Vulnerability Reward Program encourages security researchers to identify and responsibly disclose vulnerabilities in our web properties.

We are committed to working with researchers in good faith and rewarding them for their efforts in helping us maintain a secure environment.

Scope

In-Scope Assets

We are interested in vulnerabilities that affect the confidentiality, integrity, or availability of user data on the following web services:

  • https://*.Optimoz.com
  • https://*.Optimoz.AI
  • https://*.Relievox.ai
  • https://*.optalk.ai

Out-of-Scope Assets

  • Third-party applications or services hosted by non-Optimoz entities.
  • Staging or development environments not explicitly listed above.

Response Service Level Agreement (SLA)

We value your time and aim to respond quickly:

  • Acknowledgement: Within 2 working days of submission.
  • Assessment: Within 5 working days of acknowledgement.
  • Bounty Payment: Generally confirmed and paid following the remediation of the issue in our production environments.

Reporting Guidelines

To facilitate a quick triage and remediation process, please send your report to security[at]Optimoz.com.

Recommended Report Format

To maximize your chance of a reward, please include:

  1. Summary: A brief explanation of the vulnerability.
  2. Severity: Your assessment of the impact (e.g., High, Medium, Low).
  3. Proof of Concept (PoC): Clear steps to reproduce the issue. Video or screenshots are highly encouraged.
  4. Impact Analysis: How this vulnerability affects Optimoz or its users.
  5. Environment: Browser version, OS, or specific configurations used.

Reward Eligibility & Criteria

We award bounties based on the impactseverity, and quality of the report.

Qualifying Vulnerabilities:

  • Must exist within the in-scope web services listed above.
  • Must substantially affect the confidentiality or integrity of user data.
  • Must allow unauthorized privilege escalation (e.g., accessing data across different organizations).

Reward Factors:

  • Quality: Detailed PoCs and clear reproduction steps result in higher rewards.
  • Severity: Issues leading to critical data exfiltration or full account takeovers are rewarded highest.
  • Originality: Only the first comprehensive report for a specific issue is eligible.
    • Note: Duplicate reports are determined solely by the email timestamp received at security[at]Optimoz.com.
    • Exception: We may reward a later report if the initial report was of insufficient quality to allow us to reproduce or fix the issue.

Excluded Issues (Non-Qualifying)

The following issues are considered out of scope and are not eligible for a reward:

  • Publicly Accessible Information: Disclosure of known public files (e.g., robots.txt.well-known/).
  • Denial of Service (DoS): Flooding, rate limiting issues, or resource exhaustion.
  • Automated Scans: Reports generated solely by automated scanners without manual verification.
  • Client-Side UI Issues: Clickjacking, content spoofing, or text injection without significant security impact.
  • Physical/Local Attacks: Attacks requiring physical access to a user’s device or local network (e.g., self-XSS, local token exfiltration).
  • Configuration Best Practices: Missing HTTP security headers, SPF/DKIM/DMARC records, or SSL/TLS best practices (unless they lead to a direct exploit).
  • Network Attacks: Issues outside our control, such as DNS cache poisoning or MITM attacks due to compromised user networks.

Threat Model & Trust Boundaries

Our threat model prioritizes the prevention of third-party data exfiltration.

  • Organization Boundary: We view distinct organizations as a hard trust boundary.
  • Internal Privilege Escalation: Privilege escalation within a single organization is generally considered a functional bug, not a security vulnerability, unless it allows a user to gain administrative control without prior authorization.

Safe Harbor & Code of Conduct

We consider research conducted under this policy to be authorized. We will not initiate legal action against you for accidental, good-faith violations of this policy, provided that you:

  1. Do No Harm: Never attempt to access, modify, or delete data belonging to others.
  2. Do Not Disrupt: Do not perform DoS attacks or degrade the performance of our services.
  3. Privacy First: If you encounter user data, stop immediately and report the vulnerability. Do not view, copy, or save the data.
  4. Responsible Disclosure: Give us reasonable time to remediate the vulnerability before disclosing it publicly.

Thank you for helping keep Optimoz and our users safe!

    Contact us to Learn More





    Let's Get Started

    Give us a call at +1.301.917.9116 or Contact Us

      Contact us to Learn More