Responsible Disclosure Policy

Responsible Disclosure Policy

Effective Date: 2026-01-19 Last Updated: 2026-01-19

If you believe you have found a security vulnerability in the DorsalHub Service, we encourage you to let us know right away.

We will investigate all legitimate reports and do our best to quickly fix the problem.

1. Safe Harbor

DorsalHub considers security research to be a valuable activity. If you conduct security research and vulnerability disclosure in accordance with this policy, we will:

  • Not pursue legal action against you regarding your research.
  • Not suspend or terminate your account provided your testing was limited to your own account and data.
  • Work with you to understand and resolve the issue quickly.

This policy overrides any conflicting terms in our Terms of Service or Acceptable Use Policy regarding the prohibition of security testing, strictly limited to the authorized conduct described below.

2. Reporting a Vulnerability

Please send your report to security@dorsalhub.com.

In your report, please include: 1. A description of the location and potential impact of the vulnerability. 2. A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and videos are helpful). 3. Your name/handle (optional), so we can acknowledge your contribution if you wish.

3. Guidelines & Rules of Engagement

To remain within the scope of this policy and Safe Harbor protection, you must:

  • Own the Data: Only test vulnerabilities on your own account or on content you have explicit permission to test. Never attempt to access, modify, or delete the private data of other users.
  • Do No Harm: Do not perform actions that could degrade the performance of our service (e.g., DoS/DDoS attacks, spamming forms).
  • No Phishing: Do not use social engineering, phishing, or physical attacks against DorsalHub employees or users.
  • Confidentiality: Do not disclose the vulnerability to the public or third parties until we have confirmed that the issue has been resolved.

4. Out of Scope

The following types of issues are currently considered out of scope: * Clickjacking on pages with no sensitive actions. * CSRF on forms with no sensitive actions (e.g., logout). * Attacks requiring physical access to a user's device. * Missing security headers (unless they lead to a direct exploit). * Email SPF/DKIM/DMARC configuration issues.

5. Our Commitment

When you report a vulnerability, we commit to: * Acknowledging receipt of your report within 5 business days. * Providing an estimated timeframe for the fix. * Notifying you when the fix has been deployed.

Thank you for helping keep DorsalHub safe.