Responsible Disclosure Policy

We value the security research community and welcome responsible reports of vulnerabilities in IdeaDunes services.

Our Commitment

IdeaDunes takes security seriously. We are committed to working with security researchers to identify and resolve vulnerabilities quickly and responsibly. If you believe you have found a security issue in our platform, we encourage you to report it through this program.

We commit to:

  • Acknowledging your report within 2 business days
  • Providing an initial assessment within 5 business days
  • Working with you to understand and validate the finding
  • Resolving confirmed vulnerabilities in a timely manner
  • Crediting you in our security acknowledgments (if desired)
  • Not pursuing legal action against researchers acting in good faith

How to Submit a Report

Send your vulnerability report to:

Email: security@ideadunes.com

Please encrypt sensitive reports using our PGP public key, available upon request.

What to Include

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept code, screenshots, or video if applicable
  • The URL(s) and parameter(s) affected
  • Your contact information for follow-up
  • Any suggested remediation if you have one

Scope

In Scope

  • The IdeaDunes web application (*.ideadunes.com)
  • IdeaDunes REST API endpoints
  • Authentication and session management
  • Access control and authorization logic
  • Data exposure and injection vulnerabilities
  • Cross-site scripting (XSS) and cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Business logic flaws with security implications

Out of Scope

  • Social engineering or phishing attacks against IdeaDunes employees or customers
  • Denial-of-service (DoS/DDoS) attacks
  • Physical security testing
  • Automated scanning without prior coordination
  • Third-party services, apps, or integrations not operated by IdeaDunes
  • Issues in software or infrastructure not maintained by IdeaDunes
  • Vulnerabilities requiring physical access to a user's device
  • Missing security headers that don't demonstrate an exploitable vulnerability
  • SPF/DKIM/DMARC configuration issues without demonstrated impact

Rules of Engagement

To qualify for safe harbor and recognition, researchers must:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform tests that degrade service for other users
  • Do not use automated scanners at high volume without prior approval
  • Do not publicly disclose the vulnerability before we have had reasonable time to address it
  • Do use test accounts you own or accounts created specifically for testing
  • Do stop testing and report immediately if you access someone else's data
  • Do give us reasonable time (typically 90 days) to address the issue before public disclosure

Recognition

We acknowledge responsible researchers who submit valid vulnerability reports:

  • Listing on our security acknowledgments page (with your permission)
  • Public credit in release notes for vulnerabilities fixed based on your report
  • Direct acknowledgment from our security team

IdeaDunes does not currently operate a monetary bug bounty program. We may consider bounty payments for critical findings at our discretion.

Response Timeline

Acknowledgment: 2 business days We confirm receipt of your report.
Assessment: 5 business days We provide an initial severity assessment.
Resolution: 30–90 days Depending on severity and complexity.

Contact

Security Team: security@ideadunes.com
General Support: Contact Form
Privacy Inquiries: Privacy Policy