DygDog logoDygDog

Security

Responsible Disclosure

Last updated: May 2026

DygDog welcomes reports from security researchers. If you believe you have found a vulnerability in our product or infrastructure, we want to hear from you. This page describes how to report it, what you can expect from us, and the safe-harbour terms under which good-faith research is conducted.

Report a vulnerability

Email security@dyg.dog — we aim to acknowledge every report within 48 hours.

/.well-known/security.txt

1. We Welcome Responsible Disclosure

  • DygDog operates a security scanning platform. We hold ourselves to the same standard we ask of every customer: every report is acknowledged, investigated, and acted on.
  • If you have identified a vulnerability — in our product, our infrastructure, or any system we operate — we want to hear from you. Reports submitted in good faith are always welcome.
  • You do not need to be a customer or have a paid account to report a vulnerability. There is no bounty program, but credit is offered (see Section 5).

2. How to Report

  • Email security@dyg.dog with your finding. PGP encryption is supported on request.
  • Include: a clear title, the affected URL or component, reproduction steps, the impact you observed, and any supporting evidence (HTTP request/response pairs, screenshots, logs).
  • Do not include exploit payloads against third-party systems. Do not include personal data of other users obtained as part of testing.
  • If you accidentally accessed user data during testing, please tell us in your report and delete the data immediately. We will not pursue you for accidental access disclosed in good faith.

3. Our Commitments to You

  • Acknowledgement: we aim to acknowledge every report within 48 hours of receipt.
  • Triage: we aim to provide an initial severity assessment and confirmation of reproducibility within 5 business days.
  • Updates: we will keep you informed of remediation progress at reasonable intervals.
  • Resolution: we aim to remediate critical and high-severity issues within 30 days, and medium-severity issues within 90 days.
  • Transparency: once remediated, we are happy to publish a co-authored advisory on request.

4. Safe Harbour

  • We will not pursue legal action against researchers who act in good faith and follow this policy.
  • Good faith means: scanning only systems we operate, avoiding privacy violations and service disruption, not exfiltrating data beyond what is needed to demonstrate impact, and giving us reasonable time to remediate before public disclosure.
  • Activities outside this scope (denial-of-service, data exfiltration at scale, social engineering of staff or other customers, physical attacks) are not authorised and are not covered by safe harbour.
  • In-scope assets include: dyg.dog, *.dyg.dog, our public APIs, and our official packages on npm/PyPI. Out of scope: third-party services we depend on (Vercel, Supabase, Upstash) — please report those to the upstream vendor directly.

5. Recognition

  • Reporters of valid vulnerabilities are credited in our public changelog at the time of remediation, unless they request anonymity.
  • Credit is offered for: confirmed vulnerabilities, novel attack chains, and any report that materially improves the security of the platform.
  • No monetary bounty is offered at this time.

6. Contact

  • Email: security@dyg.dog
  • PGP: available on request — email security@dyg.dog with subject “PGP key request”.
  • Machine-readable disclosure metadata is published at /.well-known/security.txt per RFC 9116.

This policy is published in machine-readable form at /.well-known/security.txt per RFC 9116. We may revise this page from time to time; the “Last updated” date above reflects the most recent change.