Responsible Vulnerability Disclosure Policy

Orkestra Communications LLC

At Orkestra Communications LLC, security is a top priority. We are committed to protecting our users, partners, and systems by fostering a transparent and collaborative approach to vulnerability management. We welcome reports from security researchers, ethical hackers, and members of the public who identify potential vulnerabilities in our services.

How to Report a Vulnerability

If you believe you’ve discovered a security vulnerability, we encourage you to report it promptly so we can investigate and resolve the issue. Please include as much relevant information as possible (e.g., affected systems, URLs, reproduction steps, screenshots or proof-of-concept code).

You may submit your report through either method:

  • Email: he******@******ra.us
  • Web Form: https://orkestra.us/contact/

What Happens After You Report

Upon receiving a valid vulnerability report, we will:

  1. Acknowledge receipt of your report within 7 business days
  2. Begin our internal investigation and assess the validity and severity of the issue
  3. Provide updates on progress, if applicable
  4. Work to resolve confirmed vulnerabilities promptly
  5. Credit you (with permission) if your report results in a material security improvement

Guidelines for Responsible Disclosure

To ensure a constructive and legal interaction, we ask that you:

  • Avoid accessing, modifying, or destroying data that does not belong to you
  • Do not attempt to disrupt services or systems (e.g., via DoS attacks)
  • Respect privacy and confidentiality of our users and systems
  • Comply with applicable laws and this disclosure policy
  • Provide us a reasonable time to remediate the issue before public disclosure

Safe Harbor Commitment

We are committed to building a positive relationship with the security community. As such, Orkestra Communications LLC will not pursue legal action against individuals who engage in good faith research and follow the terms of this policy.

We consider your testing to be authorized under the following conditions:

  • Your activities are limited to non-production systems or publicly available information
  • You make a reasonable effort to avoid privacy violations and disruption
  • You report the vulnerability directly to us and do not disclose it publicly until we’ve had time to resolve it
  • You do not intentionally access or delete user data

Questions or Clarifications?

If you have questions about this policy or need clarification on what’s covered, please email us at he******@******ra.us.

Thank you for helping us keep our systems secure.