Security

Email security@heyoria.com. PGP is fine; ask if you want our key.

Include, at minimum:

• A clear description of the issue.
• Steps to reproduce. If your steps involve a test account, tell us which one.
• The impact you believe it has. We'll calibrate; you don't need to grade it for us.
• A timeline preference if you have one (e.g. plan to publish in 90 days).

• Acknowledgement within 72 hours. A human will reply.
• An honest assessment of severity and a target fix window.
• Credit in the release note if you want it. We will not name you without permission.
• No legal action against good-faith research that respects the scope below.

We are a beta product without a bug bounty program. We appreciate responsible disclosure and try to make the process feel respectful.

• heyoria.com and any subdomain we operate.
• The Oria mobile/desktop app, when those exist.
• The Supabase project we run (vulnerabilities specific to our configuration of it).
• The Python extraction sidecar we deploy on Railway.

• Third-party services we use (Supabase platform itself, Anthropic, Resend, Vercel, OpenAI). Please report those upstream.
• Social-engineering attacks against Oria employees or other users.
• Physical attacks against Oria infrastructure or staff.
• Findings that require already-elevated access (e.g. you already have the service-role key).
• Denial-of-service findings whose realistic exploit volume is what every public web service already accepts.
• Self-XSS, missing security headers without a demonstrated attack, and reports that copy automated-scanner output without analysis.

If you act in good faith, stay within the scope above, and don't exfiltrate or destroy other people's data, we will not pursue legal action and will work with you on disclosure.