Vulnerability Disclosure Policy

Version 1.0 — Effective August 3, 2026 (posted July 4, 2026)

1. Our Commitment

Oystercatcher, LLC, a Connecticut limited liability company ("Oystercatcher," "we," "our," or "us"), takes the security of our platform and our customers' data seriously. We value the work of security researchers who help keep our users safe, and we welcome good-faith reports of security vulnerabilities in our systems. This policy explains what systems are in scope, what we ask of researchers, and what researchers can expect from us.

2. Scope

The following systems and services are in scope for this policy:

  • oystercatcher.ai — our marketing website
  • app.oystercatcher.ai — our customer-facing application
  • api.oystercatcher.ai — our API
  • admin.oystercatcher.ai — our administrative dashboard

Any system not listed above — including third-party services we use — is out of scope. If you are unsure whether a system is in scope, ask us at [email protected] before testing.

3. Safe Harbor

We consider security research conducted in good faith and consistent with this policy to be authorized within the meaning of applicable anti-hacking and anti-circumvention laws. Specifically, for research that complies with this policy:

  • We will not pursue or support legal action against you.
  • We will not refer compliant, good-faith research to law enforcement.
  • We waive any claims against you under the Computer Fraud and Abuse Act (CFAA), the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA), and analogous state computer-crime laws (including Conn. Gen. Stat. § 53a-251 and Cal. Penal Code § 502) arising from your compliant research.
  • We will not bring a claim against you for circumventing the technological measures we use to protect the in-scope systems, to the extent your circumvention was necessary for compliant research.
  • If a third party initiates legal action against you for activity conducted in accordance with this policy, we will make it known that your actions were authorized by us.

This safe harbor applies only to research that complies with this policy and with applicable law. It does not apply to research that exceeds the rules of engagement below, and it does not authorize testing of third-party systems. If at any point you are uncertain whether your research is consistent with this policy, stop and contact us at [email protected] before continuing.

4. Rules of Engagement

When conducting research under this policy, you must:

  • Not degrade the service. Do not perform denial-of-service testing, volumetric testing, resource exhaustion, or any activity that could disrupt availability for our customers.
  • Minimize data access. Do not access, modify, or exfiltrate data beyond the minimum necessary to demonstrate the vulnerability. A single record or a truncated response is sufficient proof. If you inadvertently access data beyond what is needed to demonstrate the issue, stop, do not save or share it, note what was accessed, and include that in your report.
  • Never access other customers' data. Test only against your own accounts and data. Use your own trial account for testing — do not test using another organization's account or attempt to reach another customer's data. If self-serve trial access is unavailable to you, email [email protected] and we will provision a test account for good-faith research.
  • Not use social engineering. Do not phish, pretext, or otherwise socially engineer our employees, contractors, or customers.
  • Not conduct physical attacks. Do not attempt physical access to our offices, infrastructure, or personnel.
  • Stop on contact with personal data. If you encounter personal data — including healthcare professional data, customer data, or employee data — stop testing immediately, do not retain or share it, and report what you found to us right away.

5. How to Report a Vulnerability

Report vulnerabilities by email to [email protected]. A good report includes:

  • A description of the vulnerability and its potential impact
  • The affected domain, endpoint, or component
  • Step-by-step reproduction instructions, including any request/response details, screenshots, or proof-of-concept code needed to reproduce the issue
  • Your suggested remediation, if you have one

What you can expect from us:

  • Acknowledgment: We will acknowledge your report within 3 business days.
  • Status updates: We will keep you informed of our progress as we validate and remediate the issue.
  • Coordinated disclosure: We ask that you give us 90 days from your report before publicly disclosing the vulnerability, so we have a reasonable opportunity to remediate it. If we need more time for a complex fix, we will discuss an extension with you; if we remediate sooner, we are happy to coordinate earlier disclosure.

6. Out of Scope

The following issue types are out of scope and should not be reported unless you can demonstrate a concrete security impact:

  • Missing security headers without a demonstrated exploit or impact
  • SPF, DKIM, or DMARC configuration reports
  • Rate-limiting issues on non-authentication endpoints
  • Clickjacking on pages with no sensitive actions
  • Vulnerabilities in third-party services we use — please report those directly to the affected vendor
  • Automated scanner output without a working proof of concept

7. Recognition

We do not operate a paid bug bounty program at this time. With your permission, we are glad to credit you for responsibly disclosed vulnerabilities that lead to a fix.

8. Questions

Questions about this policy, including its legal terms, can be directed to [email protected]. Security reports should always go to [email protected].

Oystercatcher, LLC