Paladin Labs LLC ("Paladin Labs," "HabitatOS," "we," "us," or "our") takes security seriously. This Security and
Responsible Disclosure Policy explains how to report potential security issues in HabitatOS and what we ask from good-faith researchers, users, and reporters.
This Policy does not create a bug bounty, reward program, employment relationship, agency relationship, or authorization to violate the law or access data without permission.
If you believe you found a vulnerability, exposed credential, data leak, authentication issue, authorization issue, or other security concern, contact us at Support@habitatos.io.
Please include "Security Report" in the subject line if possible.
To help us review your report, please include a clear description of the issue; the affected app, website, API endpoint, account flow, integration, or feature; steps to reproduce the issue; screenshots or logs if helpful and safe to share; the approximate date and time you observed the issue; and your contact information so we can follow up. Do not send passwords, recovery keys, private API keys, third-party sensor-provider credentials, payment card information, private user data, or other secrets unless we specifically request a safe method for providing them.
When investigating or reporting a security issue, you must act in good faith; avoid accessing, copying, changing, deleting, exporting, or disclosing another user's data; avoid privacy invasion, data destruction, service disruption, spam, phishing, social engineering, or physical attacks; avoid denial-of-service testing, load testing, destructive testing, or automated scanning that could degrade the Service; use only accounts, data, devices, sensors, and credentials you own or are authorized to use; stop testing and notify us promptly if you encounter personal information, secrets, or data that does not belong to you; and keep the issue confidential until we have had a reasonable opportunity to investigate and address it.
The following activities are not authorized: accessing or attempting to access accounts, systems, devices, APIs, or data without permission; exfiltrating, retaining, publishing, or selling user data, secrets, tokens, or credentials; malware, ransomware, credential harvesting, phishing, spam, or social engineering; denial-of-service attacks, stress testing, load testing, or resource exhaustion; physical attacks against Paladin Labs, users, service providers, employees, contractors, or facilities; attacks against third-party services, app stores, payment platforms, sensor providers, hosting providers, or infrastructure not owned or controlled by Paladin Labs; attempting to bypass payment, subscription, entitlement, rate limit, or account restrictions for personal use; or public disclosure before we have had a reasonable opportunity to investigate and fix the issue.
Paladin Labs does not currently operate a paid bug bounty program. Submitting a report does not entitle you to compensation, reward, credit, employment, contract work, or any other benefit.
If we choose to acknowledge a report, any acknowledgement is at our discretion.
After receiving a report, we may review the issue, ask follow-up questions, attempt to reproduce it, assess impact, prioritize remediation, and notify affected users or service providers where appropriate.
We may not be able to respond to every report, especially reports that are incomplete, non-security-related, duplicative, automated, speculative, or out of scope.
Do not publicly disclose a vulnerability, exploit, proof of concept, user data, system detail, credential, or security finding before we have had a reasonable opportunity to investigate and address it.
We ask that you coordinate any disclosure with us and avoid releasing information that could harm users, animals, the Service, Paladin Labs, or third parties.
HabitatOS depends on third-party services such as app stores, hosting providers, database providers, object storage providers, payment and subscription providers, email providers, push notification providers, diagnostic tools, and sensor providers.
Reports about third-party services may need to be submitted directly to those providers. Do not test or attack third-party systems unless you have permission from the applicable provider.
We appreciate good-faith reports that follow this Policy. However, this Policy does not waive any rights, remedies, claims, defenses, or legal obligations, and it does not authorize conduct that violates law, contracts, platform rules, third-party terms, or user privacy.
A court, regulator, platform, or third party may interpret your activity differently. You are responsible for ensuring your conduct is lawful and authorized.
If your concern involves account abuse, unauthorized sharing, fraudulent passport transfer claims, harmful content, or privacy concerns that are not technical vulnerabilities, contact Support@habitatos.io and describe the issue.
We may update this Policy from time to time. If we make material changes, we will update the effective date.
Paladin Labs LLC
11 Municipal Drive, Suite 200, PMB 1022
Fishers, Indiana 46038
United States
Email: Support@habitatos.io
Website: https://habitatos.io
State of Formation: Indiana
Paladin Labs LLC, Fishers, Indiana, United States. Contact: Support@habitatos.io