Responsible Disclosure Policy

OVERVIEW

Our Commitment To Security

At OtonomiQ AI, Security Is Not A Department Or A Checkbox. It Is A Core Part Of How We Build Our Platform And Serve The Enterprises That Trust Us With Their Operations, Customer Data, And Workflows Every Single Day.

We Are An Enterprise AI Automation Platform Operating Across Industries Where Data Integrity And System Reliability Are Non-Negotiable, Including Healthcare, Hospitality, Real Estate, And Retail. That Comes With A Serious Responsibility, And We Take It Seriously.

This Responsible Disclosure Policy Explains How We Invite The Security Community, Independent Researchers, And Curious Users To Share What They Find, How We Handle Those Reports, And What Both Sides Can Expect Throughout The Process.

PURPOSE

Why This Policy Exists

No Software Is Perfect. The Most Secure Organizations In The World Operate Not Because They Have Eliminated Every Flaw, But Because They Have Built Systems To Find And Address Vulnerabilities Quickly And Responsibly.

We Created This Policy To Make It Easy And Safe For Anyone Who Discovers A Potential Security Issue On Our Platform To Come Forward. We Do Not Want Researchers To Hesitate Out Of Fear Of Legal Consequences Or Uncertainty About How We Will Respond. We Want Open, Good-Faith Communication.

This Policy Is Our Formal Invitation And Our Commitment To Treat That Communication With The Respect It Deserves.

SCOPE

What This Policy Covers

This Policy Applies To All Digital Assets Owned And Operated By OtonomiQ AI, Including The Main Platform At Otonomiq.Ai, The OtonomiQ Converse Product, Associated APIs, Web Interfaces, And Mobile Applications Where Applicable.

Web Platform:

The OtonomiQ AI Dashboard, Landing Pages, And All Customer-Facing Interfaces At Otonomiq.Ai.

APIs And Integrations:

All Publicly Accessible API Endpoints And Integration Connectors Used By OtonomiQ Products.

OtonomiQ Converse:

The Conversational AI Layer That Handles Customer Interactions Across WhatsApp, Email & Other Channels.

Authentication Systems:

Login Flows, Session Management, Token Handling, And Access Control Across All OtonomiQ Services.

EXCLUSIONS

What Falls Outside This Policy

While We Encourage Responsible Exploration, Certain Activities Fall Outside The Boundaries Of This Policy. Reports Related To The Following Areas Will Not Be Eligible For Acknowledgment Or Action Under This Program.

• Denial Of Service Attacks, Volumetric Flooding, Or Any Action That Intentionally Degrades Platform Performance Or Availability.
• Social Engineering Or Phishing Attempts Targeting OtonomiQ Employees, Customers, Or Partners.
• Accessing, Modifying, Or Deleting Data Belonging To Other Users Or Third Parties Without Prior Written Authorization.
• Physical Security Testing Of Our Offices, Hardware, Or Infrastructure.
• Automated Scanning Tools Run At A Scale That Disrupts Normal Operations Or The Experience Of Legitimate Users.
• Third-Party Services, Tools, Or Platforms That OtonomiQ Integrates With But Does Not Own Or Operate.
• Vulnerabilities In Software Versions That Our Platform No Longer Uses Or Supports.
• Reports That Require A High Degree Of Physical Access Or Prior Compromise Of The End User's Own Device.

REPORTING

How To Submit A Report

If You Believe You Have Identified A Security Vulnerability In Any OtonomiQ System, We Ask That You Reach Out To Our Security Team Directly Before Disclosing The Issue Publicly. This Gives Us The Opportunity To Understand The Risk, Validate The Finding, And Work On A Resolution Without Putting Users At Unnecessary Risk.

Send Your Report To tabrez@otonomiq.ai With A Clear And Detailed Description Of What You Found. The More Context You Provide, The Faster We Can Understand And Address The Issue.

You Do Not Need To Provide A Fully Formed Proof-Of-Concept Exploit. A Clear And Honest Description Is Enough To Get The Conversation Started.

RESPONSE PROCESS

What Happens After You Report

We Take Every Report Seriously. Here Is What You Can Expect Once Your Report Reaches Us.

SAFE HARBOR

Our Commitment To Good-Faith Researchers

OtonomiQ AI Is Committed To Working With Researchers Who Report Security Issues In Good Faith. If You Follow The Guidelines In This Policy, We Will Not Pursue Legal Action Against You For Your Research Activities. We Will Not Contact Your Employer, File A Complaint With Law Enforcement, Or Take Any Adverse Action Related To Your Report.

Good Faith Means Discovering A Potential Issue And Reporting It To Us Without Exploiting It For Personal Gain, Disclosing It Publicly Before We Have Had A Reasonable Opportunity To Respond, Or Accessing Data Beyond What Is Necessary To Demonstrate The Issue Exists.

We Recognize That Security Research Is A Valuable Contribution To The Broader Ecosystem, And We Treat It As Such. We Ask That You Extend The Same Good Faith To Us As We Navigate The Process Of Understanding And Addressing What You Share.

CONFIDENTIALITY

Handling Your Report With Discretion

We Understand That Researchers May Have Concerns About Privacy. We Will Keep The Details Of Your Report Confidential Within Our Internal Security Team And Will Not Share Identifying Information About You With Third Parties Without Your Explicit Permission.

If You Would Like To Remain Anonymous, You Are Welcome To Do So. We Will Still Review And Act On Your Report. However, Please Note That We May Not Be Able To Provide Updates Or Acknowledgment If We Have No Way To Contact You.

We Also Ask That You Keep The Details Of Any Vulnerability You Discover Confidential Until We Have Had Sufficient Time To Investigate And Remediate The Issue. Coordinated Disclosure Protects The Users And Organizations That Depend On Our Platform.

RECOGNITION

Acknowledging Your Contribution

OtonomiQ AI Does Not Currently Operate A Paid Bug Bounty Program. However, We Genuinely Value The Time And Effort Researchers Invest In Making Our Platform More Secure.

For Valid And Significant Vulnerability Reports Submitted In Good Faith, We Are Happy To Provide Public Acknowledgment On Our Website Or Security Advisory With Your Permission. We Will Always Ask Before Naming You And Will Respect Your Preference To Remain Anonymous.

We Are Continuously Evaluating How We Can Better Recognize And Reward The Security Community As Our Program Matures. We Appreciate Your Patience And Your Commitment To Responsible Disclosure.

SECURITY STANDARDS

How We Approach Security At OtonomiQ

OtonomiQ AI Is Built To Operate In Compliance-Sensitive Environments. Our Platform Is HIPAA Compliant, SOC Certified, ISO 27001 Aligned, And GDPR Proactive. Every Customer Interaction Handled By Our System Is Governed By Enterprise-Grade Guardrails, Full Audit Trails, And Access Controls Designed For Regulated Industries.

Security Is Not An Afterthought At OtonomiQ. It Is Built Into How We Design, Test, And Deploy Every Feature. This Responsible Disclosure Policy Is One Part Of A Broader Security Program That Includes Regular Internal Reviews, Third-Party Assessments, And Continuous Monitoring.

We Welcome The Security Community As A Partner In That Effort.

POLICY UPDATES

Changes To This Policy

OtonomiQ AI Reserves The Right To Update This Responsible Disclosure Policy At Any Time As Our Platform Grows And Our Security Program Evolves. When Significant Changes Are Made, We Will Update The Effective Date At The Top Of This Page.

We Encourage You To Review This Page Periodically. Continued Use Of Our Platform Following Any Updates Constitutes Acceptance Of The Revised Policy.

If You Have Any Questions About This Policy Or Are Unsure Whether A Specific Activity Falls Within Its Scope Before You Begin Testing, Please Reach Out To Us Directly. We Are Happy To Provide Clarity.