ODA Vulnerability
Disclosure Policy

  • Vulnerability Disclosure Policy

    Open Design Alliance welcomes vulnerability reports from security researchers, the general public, and any other source to help improve our product security.

    If you believe you have discovered a vulnerability in any of our products, please submit a vulnerability report by emailing security@opendesign.com using our PGP key below to encrypt sensitive information:

    Download ODA PGP Public key

    In your report, please include details of:

    • The version, architecture and configuration of the ODA SDK.
    • A brief description of the type of vulnerability, for example, Buffer-Overflow Vulnerability.
    • Steps to reproduce, including a proof-of-concept malformed file.

    The Open Design Alliance security team ignores any message to security@opendesign.com that does not relate to reporting or managing an undisclosed security vulnerability in Open Design Alliance software or that requires registration/login to external services to get information about a potential security vulnerability.

  • In Scope

    The Open Design Alliance security team considers vulnerabilities in ODA SDK products only described at https://www.opendesign.com/products.

  • Out of Scope

    Open Design Alliance does not issue CVEs or fixes for Open Design Alliance software that is no longer supported (see EOL Policy).

    If reported issues affect a third-party library or external project used in Open Design Alliance software, Open Design Alliance reserves the right to ask the researcher to contact third-party developers directly.

  • What to Expect from Us

    We intend to provide an initial response to reporters within five business days.

    Then the Open Design Alliance security team investigates and reproduces the vulnerability. If needed, we will request more information from the reporter.

  • Our Expectations

    Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.

    Use only our official channels to discuss vulnerability information with us.

    Provide us with a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly.

    Perform testing only on in-scope systems, and respect systems and activities that are out of scope.

  • Disclosure timelines

    Open Design Alliance is committed to fixing vulnerabilities in a timely manner based upon the severity of the vulnerability. After the fix is available in published releases and a CVE ID is received, we intend to publish CVE details. We may publish CVE details before we provide fixes.

  • Recognition

    While we do not compensate researchers for identifying security vulnerabilities, we do recognize and mention you on security-advisories page for those who help keep our products safe by reporting security vulnerabilities responsibly in accordance with our Vulnerability Disclosure Policy.

    Note: Open Design Alliance reserves the right to update the policy at any time.