Vulnerability disclosure policy
We are committed to maintaining the security and integrity of our products, services, and systems. Collaboration with the security community strengthens our protections and helps ensure the safety and privacy of our users.
This policy outlines how Omni handles vulnerabilities and how to report them to our security team.
Our expectations of you
- Test responsibly. Make sure your research doesn’t impact privacy, disrupt users, or damage our services.
- Stay within scope. Focus only on what this policy considers to be in scope - anything not listed is off-limits.
- Report it. Use our contact information to send us your findings.
- Keep it confidential. Don’t share details about the vulnerability until we’ve had time to review and/or patch it.
What you can expect from us
When you report a vulnerability to us, you can expect:
- Legal protection. We won't take legal action against you if you follow the guidelines.
- Prompt acknowledgment. You’ll hear back from us within 3 business days and we’ll work to fix the issue quickly.
Vulnerability evaluation
We’ll assess your report based on:
- Impact. What is the potential impact of this issue? Could it compromise user privacy or security?
- Likelihood. How easy is it to exploit? Does it require advanced skills or is it something a typical attacker could use?
In scope
This policy covers all systems, services, and infrastructure that are developed, operated, or supported by Omni Analytics. This includes nearly all the content hosted within the following domains:
*.omni.co
*.omniapp.co
Out of scope
This policy does not cover the following:
- Third-party services. If the issue is with a service not controlled by us, we can’t take responsibility for it.
- Social engineering. Phishing, smishing, and similar attacks are out of scope.
- Cosmetic issues. UI glitches, spelling mistakes, or minor user experience bugs aren’t considered vulnerabilities.
- Denial of Service (DoS/DDoS). We’re not interested in network-level attacks.
- Outdated browsers/plugins. Flaws affecting outdated software are outside the scope of this policy.
Submitting reports
If you've found a vulnerability, email us at security@omni.co and include:
- A description of the issue and why it's a problem
- The steps to reproduce the vulnerability, including secreenshots, scripts, or videos if possible
Do not include personally identifiable information (PII) or payment card information (PCI) in your reports to us.
We value your efforts to help us improve security and we look forward to working with you!