Last updated: March 2026
LockedOn is committed to maintaining the security of our platform and protecting the data of our customers.
If you believe you have discovered a potential security vulnerability affecting a LockedOn system, we encourage you to report it responsibly so that we can investigate and address the issue. Please do not publicly disclose potential vulnerabilities.
Reporting a Vulnerability
Please report suspected vulnerabilities by emailing
Your report should include:
- A clear description of the vulnerability
- The affected URL, feature, or system
- Steps required to reproduce the issue
- Any proof-of-concept material (screenshots, payloads, etc.)
Providing detailed and reproducible information helps us investigate and resolve issues more quickly.
Additional Reporting Requirements
- Reports must include sufficient technical detail to reproduce the issue.
- Reports referencing undisclosed vulnerabilities or requesting payment in exchange for vulnerability information may not be considered.
- Reports generated solely by automated scanning tools will not be considered unless accompanied by a demonstrated, reproducible security impact.
- Vulnerability reports must be submitted through the contact channel listed in this policy. Reports sent to other LockedOn employees or departments may not be reviewed.
Responsible Security Research
LockedOn supports responsible security research conducted in good faith.
When researching or reporting vulnerabilities, please:
- Act in good faith and avoid privacy violations, data destruction, or service disruption
- Only test systems and data that you are authorised to access
- Limit testing to what is necessary to confirm the vulnerability
- Immediately stop testing if sensitive data is exposed
- Report the issue to LockedOn promptly
Security research on LockedOn products and services must:
- Comply with Australian law
- Avoid disruption to our services or operations
- Avoid accessing, modifying, or storing data belonging to other users
- Be limited to actions necessary to demonstrate the existence of a vulnerability
If security research is conducted in good faith and in accordance with this policy, LockedOn will not initiate legal action against security researchers in relation to the discovery and responsible reporting of a potential security vulnerability.
LockedOn will act in good faith with individuals who report potential security vulnerabilities and will make reasonable efforts to investigate and address reported issues in a timely manner.
Prohibited Activities
The following activities are not permitted under this policy:
- Accessing or modifying data belonging to other users
- Performing denial-of-service testing or attempting to disrupt services
- Automated scanning that generates excessive traffic
- Social engineering, phishing, or physical security testing
- Attempting to exploit a vulnerability beyond what is necessary to demonstrate it
- Requesting payment or threatening disclosure in exchange for vulnerability information
Reports that involve coercion, extortion, or attempts to obtain payment in exchange for disclosure will not be considered responsible disclosure.
Confidentiality and Public Disclosure
We request that all vulnerability reports remain confidential. Please do not disclose or discuss any potential security vulnerability publicly without the express written consent of LockedOn.
Rewards
At our discretion and where this policy is followed, verified security vulnerabilities may be eligible for a cash reward or other recognition.
LockedOn does not negotiate payment in exchange for vulnerability information outside of this policy.
Our Commitment
If you report a vulnerability in accordance with this policy, LockedOn will:
- Acknowledge receipt of your report
- Investigate the issue and take appropriate remediation steps
- Communicate with you where additional information is required
We appreciate the work of security researchers who help keep software ecosystems secure.
Contact
Security reports and questions regarding this policy should be sent to:
