Responsible Disclosure

Security is fundamental to what Opsion does. We monitor on-chain activity for teams and businesses that rely on us to keep their assets and operations safe. If you have discovered a security vulnerability in our platform, we want to hear from you. We commit to working with you to understand and resolve the issue quickly, and we will not take legal action against researchers who act in good faith under this policy.

This policy applies to the following systems:

• console.opsion.xyz — the main web application
• api.opsion.xyz — the REST API
• opsion.xyz — the marketing website
• docs.opsion.xyz — the documentation site

Any other Opsion-owned domain or service that handles user data or authentication is also in scope. Third-party services we use (Stripe, Resend, etc.) are out of scope — please report those issues directly to the respective vendor.

Email your findings to team@opsion.xyz. Please include:

• A clear description of the vulnerability and its potential impact.
• The affected URL, endpoint, or component.
• Step-by-step reproduction instructions.
• Any proof-of-concept code, screenshots, or HTTP request/response samples.
• Your preferred contact method for follow-up questions.

You may encrypt your report using our PGP key, available on request at the email above.

We will keep you informed throughout the process and notify you when the issue has been resolved. With your permission, we will acknowledge your contribution in our release notes.

We ask that you:

• Give us reasonable time to investigate and fix the issue before any public disclosure.
• Avoid accessing, modifying, or deleting data that does not belong to you.
• Do not perform denial-of-service attacks, spam, or social engineering against our team or users.
• Do not use automated scanners that generate excessive traffic without prior agreement.
• Act in good faith — the goal is to protect users, not to cause harm.

Researchers who follow these rules will not face legal action from Opsion related to their security research. We will not pursue claims under the Computer Fraud and Abuse Act or equivalent legislation for good-faith research conducted under this policy.

We do not currently operate a formal paid bug bounty programme. However, we deeply appreciate the work of security researchers and will acknowledge meaningful contributions publicly (with your consent) and may offer rewards at our discretion for critical findings. If you are interested in a coordinated disclosure arrangement, mention this in your initial report.

The following are outside the scope of this policy:

• Vulnerabilities in third-party services or libraries we depend on (report those upstream).
• Missing security headers that do not lead to a demonstrable exploit.
• Self-XSS or issues that require physical access to a victim's device.
• Rate limiting on non-sensitive endpoints.
• Reports generated entirely by automated scanners without manual validation.
• Theoretical attacks without a working proof-of-concept.