Responsible Disclosure Policy

(Effective March 1, 2026)

Overview

At First Orion, the security of our customer portals and the protection of customer information are core priorities. We welcome reports from security researchers and members of the public who identify potential vulnerabilities and report them responsibly.

This policy outlines how to report security issues related to our customer portals and how we handle those reports.

Scope

This policy applies to security vulnerabilities that could reasonably impact the confidentiality, integrity, or availability of our systems or data discovered in:

• First Orion customer portals (portal.firstorion.com, portal-eu.firstorion.com)
• APIs and backend services supporting the portals
• Authentication, authorization, and session management controls

This policy does not apply to:

• Third-party systems not operated or maintained by First Orion
• Denial‑of‑service attacks
• Social engineering or phishing attacks
• Physical security issues

How to Report a Vulnerability

If you believe you have identified a security vulnerability, please report it promptly.
Email: incident@firstorion.com
Subject Line: Responsible Disclosure – Customer Portal Security Vulnerability

Please include:

• A description of the issue
• Steps to reproduce the issue
• Affected URLs or endpoints
• Proof of concept (if available)
• Potential security impact

Safe Harbor

First Orion considers security research conducted in good faith and in accordance with this policy to be authorized.

We will not pursue legal action against individuals who:

• Act in good faith to comply with this Responsible Disclosure Policy
• Avoid privacy violations and data destruction
• Do not publicly disclose the issue prior to remediation.
• Do not exploit the vulnerability for personal gain.
• Allow us a reasonable time to investigate and remediate the issue

Testing Guidelines

When testing a customer portal:

• Use only accounts you own or have permission to use
• Minimize impact and access

Do not:

• Access or modify other users’ data
• Disrupt services
• Attempt unauthorized privilege escalation
• Use outdated systems

Our Response Process

When a vulnerability is reported in compliance with this policy, we commit to:
• Acknowledging receipt within 72 hours
• Assessing and validating the issue
• Prioritizing remediation based on risk
• Communicating as appropriate during resolution

Disclosure

We ask that vulnerability details remain confidential until remediation is complete. Coordinated disclosure may occur by mutual agreement after resolution. With permission, we may acknowledge reporters publicly.

Contact

For questions or to report a vulnerability:
incident@firstorion.com