Vulnerability disclosure
Safe-harbour policy for security researchers.
Placeholder VDP — replace with counsel-reviewed copy before launch.
How to report
Email [email protected] with the subject line [SECURITY]. We respond within 72 hours.
Scope
- Production gateway at
api.omegahq.dev - Marketing site at
omegahq.dev - The packaged IDE installer + its update channel
Out of scope
- Vulnerabilities in upstream Microsoft VS Code (report those to MSRC)
- Vulnerabilities in third-party VS Code extensions
- Social engineering of the founder or users
Safe harbour
Good-faith security research that follows this policy will not result in legal action. Don't exfiltrate user data; don't degrade service for others.