Vulnerability Disclosure Policy
Vulnerability Disclosure Policy
At OTS Pakistan your trust is our top priority. We are committed to delivering secure, innovative solutions while safeguarding the data, privacy, and digital assets of our clients, partners, and users. This Vulnerability Disclosure Policy (VDP) invites responsible security researchers and ethical hackers to identify and report security vulnerabilities in a lawful, constructive, and transparent manner.
We believe in collaboration and transparency as vital pillars of a robust cybersecurity framework.
Scope
The VDP covers all public-facing digital assets owned or operated by OTS Pakistan, including:
- Official websites: www.otspk.com and all subdomains
- APIs, public endpoints, and SaaS platforms
- Mobile and web-based applications
- Public-facing infrastructure and cloud-hosted systems
- Custom software and tools developed by Trojans.
Out-of-Scope Areas
- Physical infrastructure or social engineering
- Denial-of-Service (DoS/DDoS) testing
- Automated scanning tools causing service degradation
- Phishing attacks or employee impersonation
- Attacks requiring social manipulation or insider access.
Guidelines for Responsible Disclosure
We ask all researchers to
- Report findings privately and avoid public disclosure until resolved
- Avoid data exfiltration or exploitation during testing
- Respect user privacy and confidentiality
- Submit vulnerabilities with reproducible steps and impact assessments
- Refrain from disrupting services or accessing non-consensual data.
Following these principles ensures mutual trust and accelerates resolution.
Vulnerability Submission Process
To report a security issue, follow these steps:
Submit to: OTS Team
Email: info@otspk.com
Include
- Reporter’s name or alias (optional)
- Contact details for follow-up
- Affected system (URL, endpoint, product version)
- Detailed reproduction steps (screenshots, payloads, PoC)
- Impact summary and risk level
- Suggested remediation (if applicable)
Optional: Encrypted reports via PGP (available upon request).
We commit to
- Acknowledging your report within 5 business days
- Providing regular status updates
- Remediating valid vulnerabilities typically within 30–90 days
- Offering recognition,
including: - Public acknowledgment (with consent)
- Letter of appreciation
- Swag or early access opportunities (when available)
- Inclusion in our future Security Researcher Hall of Fame.
Legal Safe Harbor
We respect ethical research and guarantee legal protection if you:
- Comply with this policy and applicable laws
- Perform testing in good faith without harmful impact
- Report vulnerabilities responsibly and confidentially.
We will not pursue legal action for responsible disclosure. We consider such research as authorized access under the law.
Our Security Philosophy
At OTS Pakistan, security is not just a compliance checkbox — it’s a strategic commitment. We continuously monitor, test, and improve our systems based on:
- Global standards (e.g., NIST, ISO 27001)
- Proactive internal audits
- Transparent communication with researchers
- Alignment with GDPR, FCPA, SOX, and other regulatory frameworks
Let’s Make the Internet Safer – Together
We welcome all contributions from the global security community. If you believe you’ve discovered a vulnerability, please reach out. Your efforts make OTS Pakistan ecosystem more secure for everyone.
Report to: [will be provided later]
PGP Key: Available upon request