WELCOME

🛡.DYNE.ORG

sec bounty program

No technology is perfect, and at Dyne.org we take privacy and security very seriously. As such, we encourage everyone to participate in our security bounty program, which incentivize researchers and hackers alike to responsibly find, disclose, and help us resolve security vulnerabilities.

If you believe you've found a security issue in our product or service, we encourage you to notify us. We will reward bounties for ethically reported bugs. Please review the following program rules before you report a vulnerability.

policy

Keeping user information safe and secure is a top priority and a core principle at Dyne. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Dyne employees and users.

rewards

Dyne provides rewards to vulnerability reporters at its discretion (see properly “Submission”). Rewards may vary depending upon the severity and the impact of the vulnerability reported, alongside the quality of the report. Keep in mind that this is not a contest or competition.

Eligibility and Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Do not access or modify our data or our users’ data, without the explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
  • Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Dyne;
  • Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope;
  • Share the security issue with us in detail;
  • Give us a reasonable time to respond to the issue;
  • Comply with all applicable laws.
  • We only reward the first reporter of a vulnerability.

Public disclosure of the vulnerability or disclosure to third parties is not permitted and will cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Frequent sending of messages to security@dyne.org for the same issue, just for the purposes of checking on the status of a submission, will disqualify a submission.

Out-of-scope Vulnerabilities

  • Our policies on the presence/absence of SPF/DMARC records.

  • Password, email, and account policies, such as email id verification, reset link expiration, password complexity.

  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).

  • Attacks requiring physical access to a user’s device.

  • Missing security headers which do not lead directly to a vulnerability.

  • Missing best practices (we require evidence of a security vulnerability).

  • Self-XSS (we require evidence on how the XSS can be used in an attack).

  • Host header injections unless you can show how they can lead to stealing data.

  • Use of a known-vulnerable library (without evidence of exploitability).

  • Issues relating to buggy non-Dyne software.

  • Reports from automated tools or scans.

  • Reports of spam (i.e., any report involving the ability to send emails without rate-limits).

  • Attacks that require the attacker app to have the permission to overlay on top of our app (e.g., tapjacking).

  • Vulnerabilities affecting users of outdated browsers or platforms.

  • Social engineering of Dyne employees or contractors.

  • Any physical attempts against Dyne property.

  • Presence of autocomplete attribute on web forms.

  • Missing cookie flags on non-sensitive cookies.

  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept and not just a report from a scanner).

  • Any access to data where the targeted user needs to be operating a rooted mobile device.

  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope without evidence of exploitability.

  • IP/Port Scanning via LogMeOnce services unless you are able to hit private IPs or Dyne servers.

  • Mobile app.

  • Hyperlink injection or any link injection in emails we send.

  • Creating multiple accounts using the same email is also out of scope.

  • Being able to upload files with the wrong extension in chooser.