OfficeSpace Software – Vulnerability Disclosure Policy (VDP)

At OfficeSpace, we take the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance steps to ensure our products are of high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products.

Should you find a potential vulnerability, please report the details to our security team at [email protected]. We appreciate responsible disclosure and will acknowledge security researchers when an issue has been reported, adhering to the following parameters.

OfficeSpace does not currently have a bug bounty program in place.

This policy outlines how to report vulnerabilities, what is in scope, and what researchers can expect from us in return.

 

Scope

This policy applies to:

• Public-facing systems operated by OfficeSpace Software under the *.officespacesoftware.com, *.greetly.com, and/or *.dojo.com domain.
• Web and mobile applications we develop and maintain.
• Public APIs and developer-facing tools under our control.

This policy does not grant permission to access or test:

• Production systems.
• Systems hosting customer data.
• Internal administration systems.
• Any infrastructure not publicly documented.
• Third-party services we rely on but not control.

 

Prohibited Activities (Without Prior Written Authorization):

The following activities are not permitted:

• Network or application scanning.
• Use of automated vulnerability scanners or fuzzers.
• Attempts to access, modify, or exfiltrate data.
• Denial-of-service (DoS), brute-force, or resource-exhaustion testing.
• Social engineering or phishing.
• Physical access attempts.
• Password spraying or credential stuffing.
• Exploiting vulnerabilities in third-party or dependent services.

If you are unsure whether a system or activity is in scope, please contact us before proceeding.

 

Out-of-Scope Findings

We do not consider the following to be valid or actionable security vulnerabilities for the purposes of this policy:

• Displayed server software banners or version information.
• Descriptive error messages (unless they reveal sensitive data).
• Missing HTTP security headers (e.g., X-Frame-Options, Content-Security-Policy).
• Missing or incorrect DNS SPF, DKIM, or DMARC records.
• CSRF vulnerabilities on forms accessible to anonymous users.
• Username or email enumeration.
• Disclosure of known public files (e.g., /robots.txt, /humans.txt).
• Clickjacking on pages with no sensitive actions.
• Rate-limiting issues without demonstrated impact.

 

What You Can Report

We welcome reports based on:

• Passive observation.
• Interactions with our services as an authorized user.
• Reviews of publicly available code, documentation, or resources.
• Disclosure of vulnerabilities discovered elsewhere that also affect our systems.

If you’ve identified a potential vulnerability that falls outside of active testing, we encourage you to report it. If you’re unsure whether something qualifies, just ask.

 

How to Report a Vulnerability

Please send an email to:
[email protected]

Include the following:

• A clear description of the suspected vulnerability.
• Steps to reproduce (if applicable).
• Affected domain, URL, or system.
• Any tools or payloads used (optional).
• Your contact details or alias (optional).

We appreciate well-written, actionable reports.

 

Safe Harbor

If you:

• Act in good faith.
• Follow this policy.
• Avoid unauthorized testing

Then OfficeSpace Software:

• Will not pursue legal action against you under applicable laws (including CFAA).
• Will not pursue contractual or DMCA claims.
• Will consider your testing authorized under applicable laws.
• Will work with you to understand and remediate any concerns.

This safe harbor only applies to activities conducted within the scope of this policy and in a non-malicious, good-faith manner.

 

What You Can Expect

We will:

• Acknowledge receipt of your report within 3 business days.
• Investigate and validate the reported issue.
• Keep you reasonably informed during the process.
• Notify you when remediation is complete.

We aim to resolve valid vulnerabilities within 90 days of confirmation, though complex fixes may require more time.  We will coordinate with you on disclosure timing.

 

No Rewards or Bounties

OfficeSpace Software does not currently offer monetary rewards, gifts, or other compensation for vulnerability disclosures. This policy exists to support collaboration and transparency in securing our services.

We may publicly acknowledge significant contributions — with your consent. Anonymous submissions are also accepted.

 

Disclosure Guidelines

Please refrain from publicly disclosing a vulnerability until:

• We have confirmed this issue; and
• Remediation has been deployed, or
• Both parties have mutually agreed on disclosure timing.

 

Legal Notice

This policy does not create contractual rights or obligations. OfficeSpace may modify or discontinue this policy at any time without notice.

 

Related Information

• Security Overview: https://officespacesoftware.com/security
• Privacy Policy: https://officespacesoftware.com/privacy
• Policies: https://trust.officespacesoftware.com

Contact: [email protected]
Preferred-Languages: English

Thank you for helping us maintain a secure and resilient platform.

Last Updated: December 2025