Legal

Security disclosures.

Last updated: May 2026.

Operious welcomes responsible security research and treats credible reports as part of maintaining trustworthy enterprise infrastructure. This page describes how to report vulnerabilities and what researchers can expect.

Security review for enterprise customers is handled through the applicable procurement, legal, and architecture review process. Responsible disclosure reports can be sent directly to security@operious.com.

Operating detail

What this page establishes

Responsible disclosure

Please include affected systems, reproduction steps, impact, relevant screenshots or logs, and contact information. Avoid accessing customer data, modifying records, degrading service availability, or performing destructive testing. Operious will acknowledge credible reports and prioritize remediation according to severity and exploitability.

In-scope issues

Examples of in-scope issues include authentication defects, authorization bypass, tenant isolation failures, credential exposure, unauthorized data access, governance bypass paths, remote code execution, and vulnerabilities that materially affect production service integrity.

Out-of-scope issues

Out-of-scope issues may include denial-of-service testing without approval, spam, social engineering, physical attacks, reports without security impact, automated scanner output without validation, or vulnerabilities in third-party services outside Operious control.

Operating commitments

Operious prioritizes vulnerabilities based on severity, customer impact, exploitability, affected deployment scope, and available mitigations. Enterprise customers receive security handling terms through their written agreement.

Security architecture review

Enterprise buyers can request review of tenant isolation, encryption, credential handling, event auditability, access controls, subprocessors, deployment topology, and compliance roadmap. These reviews are part of the architecture process for regulated deployments.