Skip to main content

Reporting Vulnerabilities

Please help us to keep the tools safe for use.

We take the security of our tools extremely seriously and investigate any reported issues and vulnerabilities.

Vulnerability Disclosure Program

Oblivious launched a Vulnerability Disclosure Program using Bugcrowd platform. All discussions related to vulnerability disclosure will be using the Bugcrowd platform. Researchers will be able to track their submissions in Bugcrowd.

Public Notifications

If applicable, we will notify all of our current and past customers of a vulnerability if it ever comes to light that there is an issue that could impact their privacy or security.

To protect our customers, we request you not to create a public notification before us communicating directly with our user base.

Safe Harbor

We follow the AWS belief system to provide a safe-harbor for security research performed in good faith, and we adopt's Core Terms. If you would like to collaborate on such security research please reach out to us at


Following domains are in scope for Vulnerability Disclosure Program

Program Rules

  • Please DO NOT create too many deployments or services
  • Please DO NOT target assets of Oblivious customers
  • Please DO NOT try brute force, volume related attacks, rate limiting, automated tooling or any attack scenario that can cause Denial of Service
  • Please provide detailed reports with reproducible steps.
  • Social engineering is prohibited. Contacting employees or customers of oblivious is strictly prohibited
  • Please DO NOT exploit the discovered vulnerability to disrupt our services

Issues not to report

The following issues are considered out of scope:

  • Security Headers like X-XSS-protection, Strict-Transport-Security, X-Content-Type-Options missing in the HTTP response.
  • Any activity that could lead to the disruption of our service (DoS)
  • Email configuration like SPF, DKIM, DMARC
  • Banner information disclosure

How to report a security vulnerability

If you believe that you have identified a vulnerability associated with the Oblivious tool suite or with AWS Nitro itself, we would appreciate you to report findings to us through our Vulnerability Disclosure Program (VDP) by writing directly to Please be specific with the vulnerability so that our engineers can be effective in mitigating the impact of the issue.

We ask you to do so discretely so that the team can patch the vulnerability and inform our user base responsibly and safely. We commit to keeping you informed throughout the process.