Production web applications at otonomii.com and all subdomains
TRANSPARENCY POLICY
Disclosure Policy
Disclosure Policy
Disclosure Policy
Responsible Disclosure Policy
The security of our platform, our customers’ data and the integrity of our AI systems is our highest priority. Independent security researchers play a critical role in maintaining this security.
This Responsible Disclosure Policy establishes a framework for security researchers to report vulnerabilities to Otonomii in a safe, structured and mutually beneficial manner.
We are committed to working with the security community to identify and remediate vulnerabilities promptly. We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.
01 Scope
This policy covers all internet-facing systems, applications, APIs and websites owned and operated by Otonomii.
Public-facing APIs and API documentation portals
Authentication and authorization systems
Customer facing dashboards and management consoles
Mobile applications published by Otonomii
Open-source projects maintained by Otonomii on public repositories
Excluded
Third-party systems, services and platforms not owned or operated by Otonomii are excluded, even if they integrate with Otonomii services. If you are unsure whether a system is in scope, contact security@otonomii.com before testing.
02 Covered Vulnerabilities
The following vulnerability classes are within the scope of this disclosure policy. This list is not exhaustive. If you discover a vulnerability that poses genuine security risk, please report it.
A
Misconfigurations
Incorrectly configured servers, cloud storage buckets, access controls or security headers that expose data or functionality beyond intended scope.
B
Cross Site Request Forgery
Attacks that force authenticated users to execute unintended actions, including state-changing operations without anti-CSRF tokens or SameSite protections.
C
Privilege Escalation
Vulnerabilities allowing a user to gain elevated access beyond authorized permissions, including vertical and horizontal escalation.
D
SQL Injection
Insertion of malicious SQL through application inputs that can read, modify or delete database contents.
E
Cross Site Scripting
Stored, reflected or DOM based XSS. Reports must demonstrate impact beyond self-XSS.
F
Directory Traversal
Insufficient input validation enabling access to files or directories outside the intended scope.
G
Authentication Bypass
Circumvention of authentication mechanisms, including broken auth flows, session fixation, token forgery or MFA bypass.
H
Remote Code Execution
Execution of arbitrary code through command injection, deserialization, template injection or unsafe file upload behavior.
I
Server Side Request Forgery
Server functionality making requests to unintended internal or external resources, including blind or partial SSRF.
03 Excluded from Scope
The following are explicitly excluded from this disclosure program. Reports for these items will be acknowledged but will not be processed as vulnerability disclosures.
General best practices without proof of concept
Physical compromise of facilities or devices
Rate limiting on non-authentication endpoints
Insider compromise scenarios
Social engineering of Otonomii employees
Reflected file download attacks
Account takeover via credential stuffing
Red-teaming or adversarial model testing
Content issues with prompts or outputs
Denial of Service attacks
Clickjacking on non-sensitive pages
Missing cookie flags on non-sensitive cookies
Dependency hijacking without demonstrated impact
Zero-day vulnerabilities without available patches
04 AI Safety Issues
Issues related to AI model behavior, safety guardrails, harmful outputs, bias or adversarial manipulation of AI systems should be reported separately to safety@otonomii.com.
The AI Safety team operates independently from the Security team and has specialized processes for evaluating, triaging, and remediating model-level vulnerabilities.
If you are unsure whether an issue is a security vulnerability or a safety concern, report it to security@otonomii.com and we will route it to the appropriate team.
05 Submission Requirements
Submit vulnerability reports to security@otonomii.com. Use PGP encryption if available. Include the following information in your report.
01
Vulnerability Type and Severity
Classify the vulnerability using CWE identifiers where possible and estimate severity using CVSS v3.1 scoring.
02
Technical Details
Describe the root cause, affected component, protocol or API endpoint. Reference relevant standards or CVEs if applicable.
03
Summary
Provide a concise, plain-language description of the vulnerability and its potential impact.
04
Reproduction Steps
Include step by step instructions, prerequisites, tools required and expected versus actual behavior.
05
URL or Location
Provide the specific URL, API endpoint, IP address or system component where the vulnerability exists.
06
Proof of Concept
Include a minimal working PoC such as scripts, screenshots, HTTP requests, responses or recordings.
07
Potential Impact
Describe the worst case scenario, including data exposure, service disruption, privilege escalation or downstream effects.
08
Recommended Remediation
Include suggested fixes if available. This is optional but appreciated.
How to Write a Good Report
The best reports are clear, concise and reproducible. Start with a one-sentence summary, provide reproduction steps a security engineer can follow, include observed and expected behavior, attach evidence and state any preconditions explicitly.
06 Good Faith Requirements
To qualify for safe harbor protections under this policy, researchers must adhere to the following good faith requirements.
Test only on systems you own or have explicit permission to test.
Avoid causing harm to Otonomii, our customers or our users.
Limit exploitation to the minimum necessary to demonstrate the vulnerability.
Do not exfiltrate, download, copy or store data that does not belong to you.
Do not disclose vulnerabilities publicly without written approval.
Do not attempt to access, modify or delete data belonging to others.
Do not use social engineering, phishing or physical attacks.
Do not demand payment or bounties as a condition for disclosure.
Confirm that you are not on applicable sanctions lists.
Comply with all applicable laws and regulations.
Do not use automated scanning tools against production without coordination.
Delete all Otonomii data, artifacts and credentials within 7 days.
Report vulnerabilities promptly and do not stockpile findings.
07 Otonomii’s Commitments
Acknowledgment
We will acknowledge receipt of your report within 3 business days and provide a tracking identifier and assigned security analyst.
Validation
Our security team will validate the vulnerability, confirm severity, determine scope and communicate our assessment.
Remediation
Confirmed vulnerabilities are remediated promptly. Critical and high-severity issues target 7 days, medium 30 days and low 90 days.
Safe Harbor
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.
Attribution
With permission, we will publicly acknowledge your contribution. We respect your preference for anonymity.
08 Safe Harbor
When conducting vulnerability research in accordance with this policy, we consider your research to be authorized and will not initiate or support legal action against you for accidental, good-faith violations of this policy.
If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy and were authorized by Otonomii.
This safe harbor is contingent on good faith effort. Research that causes material harm to Otonomii, its customers or its users may not be protected. When in doubt, contact us before testing.
09 Contact
Security Vulnerabilities
security@otonomii.comPGP key: otonomii.com/.well-known/security.txt
AI Safety Concerns
safety@otonomii.comFor model behavior, bias and guardrail issues.
Responsible Disclosure Policy
The security of our platform, our customers’ data and the integrity of our AI systems is our highest priority. Independent security researchers play a critical role in maintaining this security.
This Responsible Disclosure Policy establishes a framework for security researchers to report vulnerabilities to Otonomii in a safe, structured and mutually beneficial manner.
We are committed to working with the security community to identify and remediate vulnerabilities promptly. We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.
01 Scope
This policy covers all internet-facing systems, applications, APIs and websites owned and operated by Otonomii.
Production web applications at otonomii.com and all subdomains
Public-facing APIs and API documentation portals
Authentication and authorization systems
Customer facing dashboards and management consoles
Mobile applications published by Otonomii
Open-source projects maintained by Otonomii on public repositories
Excluded
Third-party systems, services and platforms not owned or operated by Otonomii are excluded, even if they integrate with Otonomii services. If you are unsure whether a system is in scope, contact security@otonomii.com before testing.
02 Covered Vulnerabilities
The following vulnerability classes are within the scope of this disclosure policy. This list is not exhaustive. If you discover a vulnerability that poses genuine security risk, please report it.
A
Misconfigurations
Incorrectly configured servers, cloud storage buckets, access controls or security headers that expose data or functionality beyond intended scope.
B
Cross Site Request Forgery
Attacks that force authenticated users to execute unintended actions, including state-changing operations without anti-CSRF tokens or SameSite protections.
C
Privilege Escalation
Vulnerabilities allowing a user to gain elevated access beyond authorized permissions, including vertical and horizontal escalation.
D
SQL Injection
Insertion of malicious SQL through application inputs that can read, modify or delete database contents.
E
Cross Site Scripting
Stored, reflected or DOM based XSS. Reports must demonstrate impact beyond self-XSS.
F
Directory Traversal
Insufficient input validation enabling access to files or directories outside the intended scope.
G
Authentication Bypass
Circumvention of authentication mechanisms, including broken auth flows, session fixation, token forgery or MFA bypass.
H
Remote Code Execution
Execution of arbitrary code through command injection, deserialization, template injection or unsafe file upload behavior.
I
Server Side Request Forgery
Server functionality making requests to unintended internal or external resources, including blind or partial SSRF.
03 Excluded from Scope
The following are explicitly excluded from this disclosure program. Reports for these items will be acknowledged but will not be processed as vulnerability disclosures.
General best practices without proof of concept
Physical compromise of facilities or devices
Rate limiting on non-authentication endpoints
Insider compromise scenarios
Social engineering of Otonomii employees
Reflected file download attacks
Account takeover via credential stuffing
Red-teaming or adversarial model testing
Content issues with prompts or outputs
Denial of Service attacks
Clickjacking on non-sensitive pages
Missing cookie flags on non-sensitive cookies
Dependency hijacking without demonstrated impact
Zero-day vulnerabilities without available patches
04 AI Safety Issues
Issues related to AI model behavior, safety guardrails, harmful outputs, bias or adversarial manipulation of AI systems should be reported separately to safety@otonomii.com.
The AI Safety team operates independently from the Security team and has specialized processes for evaluating, triaging, and remediating model-level vulnerabilities.
If you are unsure whether an issue is a security vulnerability or a safety concern, report it to security@otonomii.com and we will route it to the appropriate team.
05 Submission Requirements
Submit vulnerability reports to security@otonomii.com. Use PGP encryption if available. Include the following information in your report.
01
Vulnerability Type and Severity
Classify the vulnerability using CWE identifiers where possible and estimate severity using CVSS v3.1 scoring.
02
Technical Details
Describe the root cause, affected component, protocol or API endpoint. Reference relevant standards or CVEs if applicable.
03
Summary
Provide a concise, plain-language description of the vulnerability and its potential impact.
04
Reproduction Steps
Include step by step instructions, prerequisites, tools required and expected versus actual behavior.
05
URL or Location
Provide the specific URL, API endpoint, IP address or system component where the vulnerability exists.
06
Proof of Concept
Include a minimal working PoC such as scripts, screenshots, HTTP requests, responses or recordings.
07
Potential Impact
Describe the worst case scenario, including data exposure, service disruption, privilege escalation or downstream effects.
08
Recommended Remediation
Include suggested fixes if available. This is optional but appreciated.
How to Write a Good Report
The best reports are clear, concise and reproducible. Start with a one-sentence summary, provide reproduction steps a security engineer can follow, include observed and expected behavior, attach evidence and state any preconditions explicitly.
06 Good Faith Requirements
To qualify for safe harbor protections under this policy, researchers must adhere to the following good faith requirements.
Test only on systems you own or have explicit permission to test.
Avoid causing harm to Otonomii, our customers or our users.
Limit exploitation to the minimum necessary to demonstrate the vulnerability.
Do not exfiltrate, download, copy or store data that does not belong to you.
Do not disclose vulnerabilities publicly without written approval.
Do not attempt to access, modify or delete data belonging to others.
Do not use social engineering, phishing or physical attacks.
Do not demand payment or bounties as a condition for disclosure.
Confirm that you are not on applicable sanctions lists.
Comply with all applicable laws and regulations.
Do not use automated scanning tools against production without coordination.
Delete all Otonomii data, artifacts and credentials within 7 days.
Report vulnerabilities promptly and do not stockpile findings.
07 Otonomii’s Commitments
Acknowledgment
We will acknowledge receipt of your report within 3 business days and provide a tracking identifier and assigned security analyst.
Validation
Our security team will validate the vulnerability, confirm severity, determine scope and communicate our assessment.
Remediation
Confirmed vulnerabilities are remediated promptly. Critical and high-severity issues target 7 days, medium 30 days and low 90 days.
Safe Harbor
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.
Attribution
With permission, we will publicly acknowledge your contribution. We respect your preference for anonymity.
08 Safe Harbor
When conducting vulnerability research in accordance with this policy, we consider your research to be authorized and will not initiate or support legal action against you for accidental, good-faith violations of this policy.
If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy and were authorized by Otonomii.
This safe harbor is contingent on good faith effort. Research that causes material harm to Otonomii, its customers or its users may not be protected. When in doubt, contact us before testing.
09 Contact
Security Vulnerabilities
security@otonomii.comPGP key: otonomii.com/.well-known/security.txt
AI Safety Concerns
safety@otonomii.comFor model behavior, bias and guardrail issues.
Autonomous Intelligence For The Next Era of Finance
2026 © Otonomii LTD. All rights reserved.
TOP
Autonomous Intelligence For The Next Era of Finance
2026 © Otonomii LTD. All rights reserved.
TOP
Autonomous Intelligence For The Next Era of Finance
2026 © Otonomii LTD. All rights reserved.
TOP