Product Security

Orro values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

For Orro Products

Please report product related issues directly to security@getorro.com, using our PGP key to encrypt reports containing sensitive information.

Third-party bugs

If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Orro reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process.

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

  • Do not modify or access data that does not belong to you.

  • Give Orro a reasonable amount of time to correct the issue before making any information public.

  • Any public disclosure of a vulnerability includes an accurate representation of the attack details per the CVSSv3.1 guidelines and the availability of a fix.

  • Alter only Orro products that you own or have permission to access.

  • Do not compromise the safety of Orro products or expose others to an unsafe condition.

  • Security research is limited to the security mechanisms of Orro products and cloud services.

In Scope

Orro products and Orro cloud services used to communicate with Orro products.

Not In Scope

Any services or systems that are not Orro products or are hosted by third-party providers. This includes but is not limited to:

  • getorro.com website, support, and e-commerce endpoints

  • Social Engineering and Phishing attacks against Orro employees, contractors, customers, or support

Acknowledgements

Tesla Product Security