Our security team takes all reported security issues extremely seriously, and investigates each report as quickly as possible.
Reporting a vulnerability
If you believe you have discovered a bug or vulnerability in Dynomatic's security, please let us know at [email protected] (optionally using our PGP key), and we will respond to your report as quickly as possible. We request that you do not publicly disclose the issue until it has been addressed by us.
Please include the following information in your report:
A summary of the problem.
A series of steps to reproduce the problem.
Your name, and the URL of a website that we can use to acknowledge you on this page.
Feel free to disclose the information anonymously if you would prefer.
We greatly appreciate all reports, and are happy to offer public recognition for submissions of bugs and vulnerabilities.
We ask that you respect the privacy of our users and their data dusing your investigation and subsequent disclosure. We will not take legal action against individuals investigating and disclosing vulnerabilities in a responsible, white-hat manner.
Your testing must not violate any laws.
Don't attempt to access the account or data of another user, or of internal Dynomatic systems.
Don't disclose bugs publicly until we have had a resonable amount of time to fix them.
Don't investigate in a manner that could cause reliability or security issues for the Dynomatic service or its data, or that could result in downtime.
Don't attempt non-technical attacks (such as phishing or social engineering attacks) against our staff or users.
Examples of vulnerabilities
Circumventing of platform and/or privacy permissions
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Server-side code execution (RCE)
If you have any questions or suggestions, please feel free to contact us at any time.