Security & Responsible Disclosure Policy

Last updated — May 24, 2025

Protecting Orbyt's community is a top priority. This policy describes the safeguards we employ and how security researchers can responsibly disclose vulnerabilities. It supplements our Terms of Service and Privacy Policy.

1. Security Practices

  • Encryption — All traffic is served over HTTPS with HSTS enforced.
  • Credential Storage — User passwords are hashed using bcrypt with a salt; never stored in plain text.
  • Least-Privilege Access — Internal tools and databases are locked behind role-based permissions and multi-factor authentication.
  • Regular Patching — Servers and dependencies are updated promptly when security patches are released.
  • Backups & Recovery — Encrypted off-site backups run nightly and are tested quarterly for restoration.

2. Vulnerability Disclosure Program

We welcome reports from security researchers who discover vulnerabilities in Orbyt. While we do not operate a paid bug-bounty program, we appreciate your effort and publicly acknowledge valid findings (with permission).

2.1 In-Scope Targets

  • *.orbyt.social web applications and APIs
  • Mobile or desktop apps officially published by Operator (if any)

2.2 Out-of-Scope Targets

  • Third-party services not controlled by Operator
  • Denial-of-service or spam testing
  • Social-engineering against staff or users

2.3 Disclosure Process

  1. Email a detailed report to security@orbyt.social including:
    • Steps to reproduce
    • Impact assessment
    • Proof-of-concept code or screenshots (if applicable)
  2. Allow us 90 days to investigate and remediate before any public disclosure.
  3. We will acknowledge receipt within 3 business days and update you on progress at least every 30 days.

3. Safe Harbor

If you adhere to this policy and avoid prohibited activities, we will not pursue legal action or refer law-enforcement solely for your security research. This does not grant immunity for malicious, disruptive, or unlawful conduct.

4. Incident Response

  • Detection — We monitor logs and anomalies 24/7.
  • Containment — Affected systems are isolated immediately upon detection.
  • Notification — Users will be notified of breaches that pose a reasonable risk of harm, consistent with applicable law.
  • Post-Mortem — We publish a summary of high-impact incidents and remediation steps (excluding sensitive details).

5. Contact

Email: security@orbyt.social

6. Policy Updates

We may update this Security & Responsible-Disclosure Policy. Material changes will be posted here.