Responsible disclosure

Making online business easy & safe

Onegini provides solutions in environments that require the highest levels of security and trust. Although we develop great products and services for our customers, as in all technology, we can never be perfect. As is common practice in our industry, Onegini rewards those who want to help keep our products secure. If you find a vulnerability in one of our projects or think you can contribute to the safety of our solution, we ask you to notify us through the resources provided on this page. This will help us continue to create the best products and services and keep our users and customers safe.

  • icon
    Help us keep our customers and yourself safe
  • icon
    Report an issue if you think we should improve
  • icon
    Acknowledgement of your efforts
  • icon
    Bug bounty

Our promise to you as a reporter

We will respond to your report within 15 business days with our evaluation of the report and an expected resolution date.

If you have disclosed this responsibly and in accordance with the instructions pasted above, we will not take legal action against you.

We will keep you informed of the progress towards resolving the problem.

We will handle your report with strict confidentiality, e.g. will not pass on your personal details to third parties without your permission.

Unless you desire otherwise, we will provide public information concerning the problem reported.

A reward for your efforts

As a token of our gratitude for your assistance, Onegini offers a reward for  reports of security problems that were not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. In general, we award product and domain specific findings, and tend not to reward findings describing "low hanging fruit" security settings that can be found with automated tools. The minimum reward will be a €25 gift certificate. Unless you desire otherwise, we will also include you in our Hall of Fame along with your name as the discoverer of the problem.

  • icon
    Gift certificate
  • icon
    Hall of Fame
Hands squeeze the coup winner against lightning dark sky.

Identifying and reporting issues

If you find an issue, please contact rvang on Keybase or email him at using this PGP key

Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.

Do not reveal the problem to others until it has been resolved.

Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.

Please provide us with appropriate information to help us fix the issue. This usually includes the hostname and URL of the affected service, and any other steps you must take to reproduce the problem.