Responsible disclosure policy
Dintero greatly appreciates input from security researchers wanting to help. We encourage responsible vulnerability research and disclosure. If you discover a vulnerability in any of our systems, please let us know about it so we can address it as quickly as possible.
Reporting a vulnerability
If you have discovered an issue you want to report, please do the following:
- Email your findings to email@example.com.
- Include details of what the issue is, how you discovered it, and attach any screenshots and such if possible. See the section below for additional details that are useful to include in the report.
- Ensure you give enough details for us to reproduce the issue.
- Please do not take advantage of the vulnerability you have found.
- Please do not disclose the vulnerability to others until it is resolved.
Vulnerability related information
- Product or service in which the vulnerability is found.
- Product or service name
- Product or service URL
- Anomalous behavior caused by the vulnerability.
- Procedure for reproduction of the vulnerable condition.
- Probability of the reproduction, choose one from the following three:
- Possible threat caused by the vulnerability.
- PoC (Proof of Concept) code.
- Other comments from the reporter (including severity assessment)
- Describe the specific impact and how you would envision it being used in an attack scenario.
- Do you believe the vulnerability is being exploited? Yes/No
- Is an exploit publicly available? Yes/No
Any of Dintero services, products or web properties are in scope.
The following issues are currently considered out of scope:
- Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Social engineering and physical security attacks.
- Brute force attacks.
- SSL/TLS configuration weaknesses.
- Clickjacking and other issues only exploitable through clickjacking.
- Spoofing attacks.
We currently do not offer a paid bug bounty program. However, we do offer tokens of appreciation when certain thresholds for reported findings are met.
Security researchers that have spent a lot of time and effort to investigate and report to us may also be rewarded as we do want to recognize their work.
We will not take legal action against security researchers reporting their findings in a responsible manner to us or our Customer Service Center by following the instructions in this document. We ask you to:
- Play by the rules and follow our Disclosure Policy.
- Do not violate the privacy of others by e.g. sharing or not properly securing data.
- Never attempt to gain access to another user’s account or data.
- Promptly report any vulnerabilities you find to us as described in this document.
- Do not disclose any vulnerabilities or associated details to anyone other than your dedicated Dintero security analyst.
- Allow our security team reasonable time to resolve the issue.
If you want to give feedback or suggestions to this policy, submit your feedback to firstname.lastname@example.org. We are continually improving this policy and appreciate your input.