Details

Dust Security Bug Bounty Program

Program highlights

Open Scope Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure Undeclared

Top Response Efficiency This program's response efficiency is above 90%.

Average time to first response: 16 hours
Average time to triage: 1 day, 3 hours

Overview

At Dust, our top priority is the safety, security, and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible disclosure of potential security vulnerabilities, the Dust security team has committed to working with the community to verify, reproduce, and respond to legitimate reports.

Our codebase is accessible at https://github.com/dust-tt/dust

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"

Common duplicates

Please review the following closed reports to avoid submitting a duplicate report:

Thank you for helping keep Dust and our users safe!

Program highlights

Open Scope Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure Undeclared

Top Response Efficiency This program's response efficiency is above 90%.

Average time to first response: 16 hours

Average time to triage: 1 day, 3 hours

Overview

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Only interact with accounts you own or with explicit permission of the account holder.