Vulnerability Disclosure Policy

At Orbital Systems, we are committed to maintaining the security and integrity of our smart recirculating showers and our associated digital services. We understand that our systems are critical to your daily life, and we appreciate the role of security researchers and our user community in helping keep our systems safe. This Vulnerability Disclosure Policy aims to give clear guidelines on how external individuals can report security vulnerabilities, and how we will respond.

This policy applies to any digital products, services, or systems offered by Orbital Systems, including but not limited to:

• Our smart recirculating shower devices
• Orbital Systems mobile applications
• Orbital Systems web services (including APIs)

If you believe you have found a security vulnerability in any of Orbital Systems’ products or services, we ask that you help us by reporting it to us responsibly. Please send your findings to security@orbital-systems.com. Include the following information in your report:

• Description of the location and potential impact of the vulnerability.
• A detailed description of the steps required to reproduce the vulnerability (Proof of Concept scripts or screenshots are helpful).
• Your contact information for follow-up communication.
  

• Do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempting to access data not belonging to you.)
• Do not test for vulnerabilities on systems you do not own or have explicit permission to test.
• Do not violate the privacy of others, damage others’ data, or disrupt the availability of our services.

Upon receiving your vulnerability report, here are the steps we will take:

1. Acknowledgment: We will acknowledge receipt of your report within 3 business days.

2. Evaluation: We will investigate the issue and determine its impact. We ask for your patience during this process as it may take time to fully evaluate.

3. Communication: We will keep you informed of our progress as we work to address the vulnerability. We may contact you for further clarification.

4. Disclosure: We will work with you to determine how best to disclose the issue responsibly, ensuring that we mitigate any risks associated with the vulnerability before public disclosure.

5. Remediation and Recognition: We aim to fix vulnerabilities promptly. Depending on the severity and impact, we may recognize your contribution in our Hall of Fame or offer a bounty as part of our reward scheme.

By participating in our vulnerability disclosure program, you agree to abide by all applicable laws and regulations. You must not engage in any activity that would harm Orbital Systems or its customers. We do not authorize, permit, or otherwise allow any action that would disrupt our services as part of this disclosure process.

We are committed to working with the community to ensure the safety, security, and reliability of our services. We welcome and value your input and encourage responsible reporting of any issues you find.

For further queries regarding this policy, please contact security@orbital-systems.com.