Onpane

Responsible Disclosure Policy

Last updated: March 2026

1. Introduction

At Onpane, we take the security of our systems, products, and customer data seriously. We value the contributions of security researchers and the broader security community in helping us maintain a secure platform. This Responsible Disclosure Policy outlines how to report security vulnerabilities to us and what you can expect in return.

2. Scope

This policy applies to security vulnerabilities discovered in the following assets:

  • onpane.com: The main Onpane website, including the dashboard, public pages, and API endpoints.
  • Widget API: The API endpoints that serve announcement widget data to customer websites.
  • Widget Script: The JavaScript widget embedded on customer websites to display announcements.

3. How to Report

If you believe you have discovered a security vulnerability in any of the assets listed above, please report it to us by sending an email to [email protected].

To help us understand and address the issue as quickly as possible, please include the following information in your report:

  • Description: A clear and detailed description of the vulnerability, including the type of issue (e.g., cross-site scripting, injection, authentication bypass).
  • Reproduction Steps: Step-by-step instructions to reproduce the vulnerability, including any URLs, parameters, payloads, or tools used.
  • Impact Assessment: Your assessment of the potential impact of the vulnerability, including affected users, data at risk, and possible attack scenarios.

4. Our Commitment

When you report a vulnerability to us in good faith, we commit to the following:

  • 72-Hour Acknowledgment: We will acknowledge receipt of your report within 72 hours.
  • 14-Day Status Update: We will provide you with a status update on the reported vulnerability within 14 days of acknowledgment, including our assessment of the issue and an expected timeline for resolution.
  • No Legal Action: We will not pursue legal action against researchers who discover and report security vulnerabilities in good faith and in accordance with this policy.

5. Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not initiate or support legal action against researchers who act in good faith. Researchers acting in good faith are expected to avoid privacy violations, destruction of data, and interruption or degradation of our services. If at any time you are unsure whether your research is consistent with this policy, please contact us at [email protected] before proceeding.

6. Out of Scope

The following activities and vulnerability types are considered out of scope for this policy:

  • Social Engineering: Attacks involving phishing, pretexting, or other social engineering techniques directed at Onpane employees, users, or contractors.
  • Physical Access: Attempts to gain physical access to Onpane facilities, equipment, or infrastructure.
  • Denial of Service Testing: Any form of denial-of-service (DoS) or distributed denial-of-service (DDoS) testing against Onpane systems or infrastructure.
  • Third-Party Services: Vulnerabilities in third-party services, libraries, or platforms that Onpane integrates with but does not directly control.

7. Recognition

We appreciate the efforts of security researchers who help us improve the security of our platform. With your permission, we may publicly acknowledge your contribution. Please note that Onpane does not currently operate a bug bounty program and does not offer monetary compensation for vulnerability reports.