Vulnerability Disclosure Policy

Overview

Responsible Vulnerability
Disclosure (RVD) Policy

o9 Solutions is committed to maintaining the security and integrity of our systems and services and value the contributions of security researchers in helping us maintain a secure environment. Our RVD policy applies to all systems, applications, and services owned or operated by o9 Solutions. Read the policy to understand what actions you should take if you discover a vulnerability.

1. Purpose

o9 Solutions is committed to maintaining the security and integrity of our systems and services and value the contributions of security researchers in helping us maintain a secure environment. This Responsible Vulnerability Disclosure (RVD) Policy outlines our approach to receiving and addressing reports of vulnerabilities in our systems.

2. Scope

This policy applies to all systems, applications, and services owned or operated by o9 Solutions, for example:

Web applications
APIs
Network Infrastructure
Mobile applications
Any systems, computers, applications, services, etc. owned by o9 Solutions

3. Policy Detail

3.1 Types Of Security Research Prohibited

o9 Solutions does not allow any research to be done on any o9 Solutions systems listed in the Scope section of this policy.

The following activities are not allowed:

Unauthorized Testing: Any form of testing without explicit authorization from o9 Solutions.
Exploitation: Exploiting vulnerabilities without explicit authorization from o9 Solutions.
Social Engineering: Attempting to manipulate employees, customers, or partners to gain unauthorized access without explicit authorization from o9 Solutions.
Physical Attacks: Any physical attacks against our facilities, equipment, or personnel without explicit authorization from o9 Solutions.
Denial of Service Attacks: Any attempts of Denial-of-Service attacks on o9 Solutions without explicit authorization from o9 Solutions.

Any such unauthorized activities may result in legal action.

3.2. Reporting Vulnerabilities Steps

If you discover a security vulnerability, please follow these steps.

Submit a Report: Email our security team at [email protected]. Include a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence.
Acknowledgment: o9 Solutions will acknowledge receipt of your report.
Investigation: o9 Solutions will investigate the issue promptly.
Resolution: o9 Solutions is dedicated to resolve valid vulnerabilities reported by researchers.
Public Disclosure: o9 Solutions requests that you do not publicly disclose the vulnerability until we have had sufficient time to address it and have received confirmation that it has been closed.

3.3. Actions And Associated Time Frame

Upon notification of a vulnerability, o9 Solutions will promptly undertake the following steps.

Acknowledgment: Within 15 business days.
Initial Assessment: Within 10 business days.
Resolution: o9 Solutions aims to resolve critical vulnerabilities within a reasonable timeframe after completing the Initial Assessment. In the event that a reported vulnerability is confirmed, it will be handled as an incident in accordance with the documented o9 Solutions Cybersecurity Incident Response Plan. Complex issues may take longer, but we will provide periodic communications to keep you informed of progress.

o9 Solutions will involve our senior management and legal team to determine the appropriate course of action regarding disclosure and notifications as needed.

3.4. Recognition and Rewards

This program isn’t intended to represent a public bug bounty program, and o9 Solutions doesn’t offer rewards or compensation for submitting potential issues.

3.5. Acknowledgment and Communication

o9 Solutions will acknowledge receipt of a vulnerability report. We will then investigate the reported issue promptly and keep the reporter informed of our progress and any necessary steps.

3.6. Resolution And Disclosure

o9 Solutions requests that you do not publicly disclose the vulnerability until we have had sufficient time to address it. Once a vulnerability has been verified and addressed, o9 Solutions may notify the individual who reported the vulnerability and provide details of the resolution. Depending on the severity of the vulnerability and upon receiving advice from our legal counsel, o9 Solutions may opt to issue a security advisory or update to inform our users about the issue and detail the measures implemented to address it.

3.7. Contact Information

For any questions or to report a vulnerability, please contact: [email protected]

4. Maintenance of Records

This Policy shall be retained in accordance with the o9 Solutions Records Retention Policy.

5. Revision History

Last Update: 04/11/2025

Driving AI-First Business Transformations with o9 CEO & Co-Founder, Chakri Gottemukkala

2025 Gartner® Magic Quadrant™ for Supply Chain Planning Solutions

How to Navigate High Tech Supply Challenges: a Blueprint for Resilience

10 Steps for Setting Up an Effective Transformative IBP Process

Technology & Vision

Solutions

Industries

Events

Company