Responsible disclosure

At ON2IT Inc., we consider the security and data of our systems a top priority. Since we are committed to system security, we understand and appreciate the added value of security researchers.

If you found a security vulnerability, which complies to the rules and scope, please submit it to We will acknowledge your report within 2 business days, and you will be contacted again after we have validated your report within 10 business days.

Program rules

In order to protect our systems and users, we have compiled a list of rules regarding vulnerability disclosure:

  • Only the systems within our scope are applicable.
  • Report the vulnerability as quickly as possible after its discovery.
  • Do not take advantage of the vulnerability or problem you have discovered. For example by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data.
  • Where applicable, you must only use your own data (name, email-address) to demonstrate the vulnerability.
    • The use of pseudonyms is allowed.
  • Do not reveal the problem until it has been resolved.
  • Avoid the following actions to keep the impact minimum:
    • Installing malware
    • Making changes to a system
    • Copying, changing or deleting data
  • Overall, handle the knowledge on the security problem or vulnerability with care by not performing any acts other than those necessary to demonstrate the vulnerability.
  • Please provide us with sufficient information to reproduce the problem, for example with a Proof-of-Concept, so we can resolve it as quickly as possible.

We ask that all disclosures are kept confidential in order to protect our community. Under very specific circumstances, and concerning major disclosures, we can foresee a common public communication. However, this must be agreed on beforehand at


Disclosures are only eligible if they are in line with the following scope

  • https://*
  • https://*

Out of scope

The following elements are known and accepted, and is not necessary to report on:

  • Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
  • Contact Forms without limit of submission
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Banner disclosure on common/public services without a PoC
  • Security header configurations or missing header
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • WordPress related wp-cron.php availability, appropriate measures for this are in place.
  • Informational disclosures on available WordPress core, theme and plugin updates.


All responsible disclosures are rated by our security professionals in order to calculate a possible reward. These rewards are paid out using the Tremendous platform.

The following criteria are taken into consideration:

  • Reproduce-ability and verifiability of the vulnerability
  • Severity of the vulnerability disclosed
  • Likelihood that the vulnerability would have been exploited
  • Criticality of the assets that were affected by the vulnerability
  • Quality of the communication


As a European company based in the Netherlands, we apply to the highest standard of Data protection based on the GDPR. This means we keep the minimum amount of information about you, for a limited time and only for the sole purpose of communicating with you. In short, when you report a vulnerability, we only collect your name (or pseudonym) and email-address. If you qualify to be registered in our Hall of Fame, we will request your consent to register your name here.

See our privacy policy for more information.