Waitlist

Security and vulnerability disclosure policy

This policy applies to any vulnerability you are considering reporting to Deploy Dash. Report vulnerabilities privately by email at security@deploydash.com or via the disclosure form on this page.

Submit security report

Reporting requirements

Include enough information for quick and accurate triage:

  • The desktop app version, operating system, and affected component (or website endpoint, where applicable).
  • A short vulnerability classification (for example, XSS).
  • Step-by-step benign, non-destructive proof-of-concept steps.
  • Impact context to support severity assessment.

What to expect from us

  • We aim to respond as soon as possible and keep you informed of progress throughout handling.
  • Remediation priority is determined by impact, severity, and exploit complexity.
  • Status enquiries are welcome, but please avoid more than one update request every 14 days so remediation work can continue efficiently.
  • We will notify you when remediation is complete and may invite validation that the fix covers the issue.
  • Once fixed, coordinated public disclosure is welcome. Please continue to coordinate release timing and wording with us.

Researcher guidance

You must not

  • Break any applicable law or regulation.
  • Access unnecessary, excessive, or significant amounts of data.
  • Modify data in Deploy Dash systems or services.
  • Use high-intensity invasive or destructive scanning tools.
  • Attempt or report denial-of-service activity.
  • Disrupt services or systems.
  • Communicate vulnerabilities outside channels published in security.txt.
  • Social engineer, phish, or physically attack staff or infrastructure.
  • Demand financial compensation in exchange for disclosure.

You must

  • Always comply with data protection and privacy requirements.
  • Never share, redistribute, or insecurely store data retrieved during research.
  • Securely delete retrieved data when no longer required, or within 1 month of remediation (unless law requires otherwise).
  • Provide benign, non-destructive proof-of-concept reproduction steps.

Legalities

This policy is designed to be compatible with common coordinated vulnerability disclosure good practice. It does not permit any action that is unlawful, or that causes Deploy Dash, its users and customers, or partner organisations to breach legal obligations.

Security disclosure form

Use this form if you prefer guided submission. We will reply to the contact email you provide.

Prefer email? Send directly to security@deploydash.com.