Orion is a platform for real-time heads-up communication between people, teams, bots, intelligent agents, and voice services. Our service works on any device, over any distance, with any network, without boundaries. Voice is the new interface, bots are the new apps, and voice-enabled devices are becoming ubiquitous. Orion enables distributed teams to collaborate and communicate in real-time, helping these people and organizations leverage voice beyond a plain phone or radio call.
If you believe you've found a security issue in our products or service, we encourage you to notify us. We look forward to working with you to resolve the issue promptly.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve it.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Orion Labs will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 5 days
Time to triage (from report submit) - 5 days
We’ll try to keep you informed about our progress throughout the process.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Scanner output or scanner-generated reports, including any automated or active exploit tool.
Vulnerabilities involving stolen credentials or physical access to a device.
Password and account recovery policies, such as reset link expiration or password complexity.
Missing security headers that do not lead directly to a vulnerability.
Clickjacking on static websites.
Content spoofing/text injection.
Denial of service attacks caused only by a large volume of requests.
Use of a known-vulnerable library (without evidence of exploitability).
Issues related to software or protocols not under Orion’s control.
Security issues on our marketing web properties unless they can be shown to affect our production services.
Reports of spam.
Vulnerabilities affecting users of outdated or unpatched browsers and platforms
Social engineering of staff or contractors.
Self-XSS, which includes any payload entered by the victim.
Any physical attempts against Orion property or data centers.
Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset.
Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact
Reports of server crashes.
Mobile application vulnerabilities that require a rooted, jailbroken, or otherwise modified device.
Vulnerabilities on third-party libraries without showing specific impact to the target application (e.g. a CVE with no exploit).
Orion's Marketing website general functionality issues.
Email DNS issues with non-MX subdomains. Yes, we do not post SPF/DKIM records for non-mail-enabled domains.
Current versions of our mobile and clients, including:
Orion Platform API,(https://api.orionlabs.io)(https://icarus.orionlabs.io),(https://alnitak.orionlabs.io)
For all submissions please include:
Full description of the vulnerability being reported, including the exploitability and impact.
Evidence and explanation of all steps required to reproduce the submission, which may include videos, screenshots, exploit code, traffic logs, Web/API requests and responses, email address or user ID of any test accounts, IP address used during testing.
Any information you receive or collect about Orion or any Orion user through the Responsible Disclosure Program (“Confidential Information”) must be kept confidential and only used in connection with the Responsible Disclosure Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Orion sites, without Orion’s prior written consent.
Thank you for helping keep Orion Labs and our users safe!
Scope Type | Scope Name |
---|---|
android_application | com.onbeep.obiwan |
ios_application | 984202314 |
web_application | https://github.com/orion-labs/node-red-contrib-orion |
web_application | login.orionlabs.io |
web_application | observatory.orionlabs.io |
web_application | api.orionlabs.io |
web_application | https://github.com/orion-labs/node-orion |
Scope Type | Scope Name |
---|---|
web_application | support.orionlabs.io |
web_application | https://info.orionlabs.io/ |
web_application | shop.orionlabs.io |
web_application | www.orionlabs.io |
Firebounty have crawled on 2020-04-07 the program Orion Labs on the platform Hackerone.
FireBounty © 2015-2024