Responsible Disclosure Program

A responsible disclosure program is a process that organizations establish to encourage security researchers and other ethical hackers to report security vulnerabilities they discover in the organization's products or services so that the organization can fix them before malicious actors exploit them.

At Dash Hudson, we greatly value the support of cybersecurity community members in helping us maintain our high cybersecurity standards. If you identify a security vulnerability relating to our platform, please notify us promptly before disclosing the vulnerability to the outside world so we can take the necessary measures. 

Please keep all information relating to the discovered vulnerability confidential from all third parties for a period of at least 60 days, allowing us to identify and implement the measures needed to address the issue you have reported.

The current scope for reporting includes the following websites:

How Do You Notify Us?

If you have identified a security vulnerability, please proceed as follows:

Notify us as soon as possible via email to security@dashhudson.com

Please include the following information in your report:

  • Contact details (i.e., name and email address );
  • Type of vulnerability identified;
  • Service/device/application impacted by the vulnerability;
  • A detailed description of the problem encountered;
  • Any files that can help reproduce the flaw (e.g., screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.)

Do not take any actions beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your advantage and avoid storing any confidential data obtained due to the issue.

Examples of Vulnerabilities We Will Consider

  • Injection and deserialization vulnerabilities (SQL/NoSQL/LDAP injection, command injection, object deserialization)
  • Broken authentication and broken access control vulnerabilities (incorrect implementation of authentication, session management, access control)
  • Sensitive data exposure (vulnerabilities that can lead to data leakage)
  • Cross-site scripting
  • Cross-site request forgeries
  • Server-side request forgeries
  • Redirect vulnerabilities
  • Underprotected API
  • Known and zero-day vulnerabilities under the spotlight

Examples of Vulnerabilities We Will Not Consider

We continuously monitor our internet-exposed assets to identify security issues and misconfigurations. We, therefore, kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:

  • Weak configurations of the TLS protocol;
  • Reports of non-compliance with best practices (e.g., for SPF/DKIM/DMARC configuration, content security policy, TLS misconfigurations);
  • The output of well-known automated tools/solutions

How Will We Respond?

If you report a security vulnerability relating to any of our websites specified above, we will process your report as follows.

  • We will confirm receipt of your report within two business days.
  • We will send you our response within five business days following the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. In some special circumstances, we reserve the right to extend this period by giving appropriate notice.
  • We will treat your report as confidential and not share your details with third parties except when obliged by law.
  • Reward dependent on the severity and criticality of the issue identified