Vulnerability Disclosure Policy
Effective date: June 26, 2026
Introduction
16445039 Canada Inc., doing business as “Onix” (“Onix”, “we”, “us”, or “our”), takes the security of our products and our users seriously. We welcome reports from security researchers and members of the public who identify potential vulnerabilities in our systems. This Vulnerability Disclosure Policy explains how to report a security issue to us and what you can expect in return.
How to report a vulnerability
Please send security reports by email to security@onix.life.
To help us assess and address your report quickly, please include:
- A clear description of the vulnerability and its potential impact.
- The steps required to reproduce the issue.
- The affected URL, domain, application, or component.
- Any supporting material, such as screenshots, logs, or proof-of-concept code.
Please report in English where possible, and submit one issue per report.
No bug bounty program
Onix does not operate a bug bounty program and does not offer monetary rewards, payment, or other compensation for security reports. We accept and review good-faith reports because we value the security of our users, not as part of a paid program. Please do not submit reports with the expectation of payment.
Guidelines for good-faith research
We ask that you:
- Act in good faith to avoid privacy violations, data destruction, and disruption to our services or users.
- Do not access, modify, or delete data that does not belong to you, and only interact with accounts you own or have explicit permission to test.
- Do not perform denial-of-service testing, send spam, or attempt to socially engineer our staff, users, or contractors.
- Give us a reasonable opportunity to investigate and remediate an issue before disclosing it publicly.
- Comply with all applicable laws.
Safe handling
If you make a good-faith effort to follow this policy while researching and reporting a vulnerability, we will treat your activity as authorized, we will not recommend or pursue legal action against you in connection with your report, and we will work with you to understand and resolve the issue promptly. If a third party initiates legal action against you for activities you carried out in accordance with this policy, we will make this authorization known.
Out of scope
The following reports are generally not eligible and may be closed without a detailed response, unless you can demonstrate a concrete, exploitable security impact:
- Reports about email authentication configuration, such as SPF, DKIM, or DMARC settings, without a demonstrated, exploitable impact.
- Missing security headers, cookie flags, or other best-practice recommendations without a working proof of concept.
- Output from automated scanners or tools without analysis showing a real vulnerability.
- Reports concerning third-party services or platforms that we do not control.
- Unsolicited commercial messages, “beg bounty” solicitations, or requests for payment in exchange for vulnerability details.
Our commitment
When you submit a report that follows this policy, we will acknowledge legitimate reports, investigate them, and keep you informed of our progress as appropriate. We are a small team and response times may vary, but we appreciate your help in keeping Onix and our users safe.
Changes to this policy
We may update this Vulnerability Disclosure Policy from time to time. The current version is always available at https://onix.life/security.