Disclosure Policy

This Disclosure Policy sets out two related commitments: how OpasSecure handles security vulnerability reports from researchers and the public (Responsible Disclosure), and how OpasSecure notifies clients and affected parties when a security incident occurs (Incident Disclosure).

We believe transparency is fundamental to trust. We publish this policy so that security researchers know what to expect when they report to us, and so that clients know what to expect from us when something goes wrong.

If you believe you have discovered a security vulnerability in any OpasSecure system, product, or service, we ask that you report it to us before public disclosure so that we can investigate and remediate.

To report a vulnerability: email security@opassecure.com with the subject line "Vulnerability Report". Include a clear description of the vulnerability, the affected system or component, reproduction steps, and any supporting evidence (screenshots, proof-of-concept code, HTTP captures). PGP-encrypted submissions are welcome; our public key is available on request.

Please do not exploit the vulnerability beyond what is necessary to demonstrate its existence. Do not access, modify, copy, or destroy data you are not authorised to access. Do not perform denial-of-service testing, social engineering, or physical security attacks. Do not disclose the vulnerability to third parties before we have had a reasonable opportunity to remediate.

In scope: opassecure.com and all subdomains; OpasShield, OpasIntel, OpasGuard, and OpasComply platforms operated by OpasSecure; OpasSecure-controlled cloud infrastructure and APIs.

Out of scope: client systems, partner systems, or third-party infrastructure that OpasSecure does not own or operate; social engineering attacks against OpasSecure staff; physical security attacks; automated scanning without prior written authorisation; denial-of-service or resource exhaustion testing.

If you are unsure whether a system is in scope, ask us before testing. Out-of-scope research is not covered by the safe harbour in section 5.

Acknowledgement within 3 business days of receipt. Initial triage and severity assessment within 7 business days. Regular updates on remediation progress for confirmed vulnerabilities.

We aim to remediate critical and high-severity vulnerabilities within 30 days of confirmation. Medium and low-severity issues are addressed within 90 days. Complex systemic issues may require longer; we will communicate timelines clearly.

We do not currently operate a paid bug bounty programme, but we recognise researchers publicly in our advisory notes (with permission) and may offer recognition in other forms at our discretion.

If you have not received acknowledgement within 5 business days, please follow up. Email can be unreliable.

Good-faith security research conducted in accordance with this policy - specifically, within the defined scope and without exploiting or exposing data - will not result in legal action from OpasSecure.

We will not initiate legal proceedings against researchers who: report promptly and avoid exploitation; do not access data beyond what is necessary for proof-of-concept; respect the coordination period before public disclosure; and act in compliance with applicable law.

This safe harbour applies to OpasSecure only. We cannot speak for third parties, law enforcement, or other stakeholders.

We support coordinated vulnerability disclosure. Our default coordination window is 90 days from the date we confirm a vulnerability. We will work with you to agree a disclosure timeline that allows remediation while respecting your right to publish.

If remediation requires more than 90 days, we will discuss an extension with you. If we fail to remediate within an agreed timeline, you retain the right to disclose.

We publish security advisories for confirmed vulnerabilities in OpasSecure products at opassecure.com/opaslabs/advisories. Advisories include the affected component, severity rating, impact description, remediation status, and researcher credit (with permission).

In the event of a security incident that affects or is likely to affect client data, OpasSecure will notify affected clients without undue delay once the scope and nature of the incident has been assessed.

For incidents involving personal data, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, as required by the Kenya Data Protection Act, 2019. Where the breach is likely to result in high risk to individuals, we will also notify affected individuals directly.

Client notifications will include: a description of the nature of the incident; the categories and approximate number of records affected; the likely consequences; the measures taken or proposed to address the incident; and a named point of contact for further questions.

We will publish a post-mortem report for significant incidents within 30 days of resolution. Post-mortems will include a root-cause analysis, timeline, remediation steps taken, and systemic improvements implemented. We will not include client-identifying information in public post-mortems without consent.

Security disclosures: security@opassecure.com

Incident response (emergency): +254 (emergency line listed on our incident response page)

Legal and policy enquiries: legal@opassecure.com

OpasSecure Infotech Solutions Ltd, Westlands, Nairobi, Kenya.