We welcome good‑faith reports. If you believe you have found a security vulnerability affecting theoa.group or our services, please notify us so we can remediate.

Scope. Systems and services under theoa.group and sub‑domains we operate. Third‑party platforms and vendors are out of scope unless explicitly stated.

How to report. Email legal@theoa.group with:

• Description of the issue, affected host/page, and the minimal steps to reproduce.

• Proof‑of‑concept or screenshots (no excessive data exfiltration).

• Your contact and PGP key if you require encrypted replies.

What to avoid. No DDoS, social engineering, spam, physical attempts, or privacy violations. Do not access, modify, or delete data that is not your own; do not impact availability or user experience.

Safe harbor. If you comply with this Policy and act in good faith, we will not pursue legal action against you for your research and will consider your testing authorized. This does not apply to actions that are illegal or destructive.

Acknowledgment. We acknowledge within 5 business days, provide a case ID, and keep you informed of remediation progress. We do not currently offer a bug bounty, but we may offer public thanks with your consent.

Privacy. We process any personal data in your report solely to triage and remediate the issue (see Privacy Policy).