Security
Responsible security disclosure
If you believe you found a security issue affecting Okiela, please report it responsibly so it can be reviewed and fixed safely.
No public paid bounty program yet
Okiela currently handles responsible disclosures case by case. Please do not assume a reward, bounty, or testing authorization beyond this policy.
Where to report
Email security@okiela.io. If that mailbox is unavailable, use daint@okiela.io.
Preferred languages: English or Vietnamese.
What to include
- Affected URL or feature.
- Clear steps to reproduce.
- Expected impact and severity in your view.
- Screenshots, short screen recording, or request/response notes if useful.
- Whether you observed any data exposure. Do not include other users' private data.
Safe testing rules
- Use only your own account, test data, or publicly visible pages.
- Stop immediately if you encounter private data, credentials, or destructive behavior.
- Do not perform denial-of-service, spam, social engineering, or high-volume automated scanning.
- Do not attempt persistence, privilege escalation beyond proof, or data exfiltration.
Scope
In scope
- Public okiela.io pages and API behavior visible without special access.
- Authentication, session, invitation, billing, dashboard, upload, and Shopify connection flows.
- Security issues that could expose user data, bypass access control, or create unsafe public output.
Out of scope
- Reports based only on missing security headers without an exploitable impact.
- Denial-of-service, load testing, spam, phishing, or social engineering.
- Automated scanner output without clear reproduction and impact.
- Issues in third-party services unless they create an Okiela-specific vulnerability.
What happens next
Okiela will review the report, ask follow-up questions when needed, and prioritize fixes based on user-data risk and product impact. Please avoid public disclosure until the issue is reviewed and a fix is available.