Last updated: March 2026

LockedOn is committed to maintaining the security of our platform and protecting the data of our customers.

If you believe you have discovered a potential security vulnerability affecting a LockedOn system, we encourage you to report it responsibly so that we can investigate and address the issue. Please do not publicly disclose potential vulnerabilities.

Reporting a Vulnerability

Please report suspected vulnerabilities by emailing

Your report should include:
  • A clear description of the vulnerability
  • The affected URL, feature, or system
  • Steps required to reproduce the issue
  • Any proof-of-concept material (screenshots, payloads, etc.)

Providing detailed and reproducible information helps us investigate and resolve issues more quickly.

Additional Reporting Requirements

  • Reports must include sufficient technical detail to reproduce the issue.
  • Reports must demonstrate a clear and reproducible security impact.
  • Reports describing theoretical attack scenarios without evidence of exploitability may not be considered.
  • Reports referencing undisclosed vulnerabilities or requesting payment in exchange for vulnerability information may not be considered.
  • Reports generated solely by automated scanning tools will not be considered unless accompanied by a demonstrated, reproducible security impact.
  • Vulnerability reports must be submitted through the contact channel listed in this policy. Reports sent to other LockedOn employees or departments may not be reviewed.

Responsible Security Research

LockedOn supports responsible security research conducted in good faith.

When researching or reporting vulnerabilities, please:
  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Only test systems and data that you are authorised to access
  • Limit testing to what is necessary to confirm the vulnerability
  • Immediately stop testing if sensitive data is exposed
  • Report the issue to LockedOn promptly
Security research on LockedOn products and services must:
  • Comply with Australian law
  • Avoid disruption to our services or operations
  • Avoid accessing, modifying, or storing data belonging to other users
  • Be limited to actions necessary to demonstrate the existence of a vulnerability

If security research is conducted in good faith and in accordance with this policy, LockedOn will not initiate legal action against security researchers in relation to the discovery and responsible reporting of a potential security vulnerability.

LockedOn will act in good faith with individuals who report potential security vulnerabilities and will make reasonable efforts to investigate and address reported issues in a timely manner.

Prohibited Activities

The following activities are not permitted under this policy:

  • Accessing or modifying data belonging to other users
  • Performing denial-of-service testing or attempting to disrupt services
  • Automated scanning that generates excessive traffic
  • Social engineering, phishing, or physical security testing
  • Attempting to exploit a vulnerability beyond what is necessary to demonstrate it
  • Requesting payment or threatening disclosure in exchange for vulnerability information

Reports that involve coercion, extortion, or attempts to obtain payment in exchange for disclosure will not be considered responsible disclosure.

Out of Scope

The following types of reports are generally considered out of scope and may not be reviewed or eligible for recognition:

  • Reports based solely on automated scanning tools without demonstrated security impact.
  • Generic Denial-of-Service (DoS) or Distributed DoS (DDoS) attacks or testing involving sending large volumes of requests to public endpoints.
  • Reports that only demonstrate the ability to repeatedly access or request a publicly accessible URL without identifying a specific application vulnerability.
  • The presence of publicly accessible endpoints, APIs, or files is not considered a vulnerability unless a specific security flaw can be demonstrated.
  • Issues related to third-party services, plugins, libraries, or infrastructure not owned or controlled by LockedOn.
  • Self-XSS or issues that require a user to intentionally execute scripts in their own browser.
  • Clickjacking findings without a demonstrated exploit leading to meaningful security impact.
  • Missing or non-optimal security headers that do not result in a demonstrated vulnerability.
  • Reports related solely to software version disclosure or banner information.
  • Reports based on best-practice recommendations without an accompanying security vulnerability.

LockedOn reserves the right to determine whether a reported issue represents a valid security vulnerability.

Confidentiality and Public Disclosure

We request that all vulnerability reports remain confidential. Please do not disclose or discuss any potential security vulnerability publicly without the express written consent of LockedOn.

Rewards

At our discretion and where this policy is followed, verified security vulnerabilities may be eligible for a cash reward or other recognition.

Submission of a vulnerability report does not create any expectation of compensation.

LockedOn does not negotiate payment in exchange for vulnerability information outside of this policy.

Our Commitment

If you report a vulnerability in accordance with this policy, LockedOn will:

  • Acknowledge receipt of your report
  • Investigate the issue and take appropriate remediation steps
  • Communicate with you where additional information is required

We appreciate the work of security researchers who help keep software ecosystems secure.

Contact

Security reports and questions regarding this policy should be sent to: