Report a Security Vulnerability
At Dust, our top priority is the safety, security, and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible disclosure of potential security vulnerabilities, the Dust security team has committed to working with the community to verify, reproduce, and respond to legitimate reports through our HackerOne's vulnerability disclosure program.
If you believe you've identified a potential security vulnerability in any Dust service, please report it to us. We will investigate all legitimate reports and do our best to quickly respond and address reported issues.
Note: our codebase is accessible at https://github.com/dust-tt.dust
Disclosure Policy
Please do not discuss any vulnerability (even resolved ones) outside of the program without express consent from us. Follow HackerOne's disclosure guidelines.
Program Rules
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g., phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with accounts you own or with explicit permission of the account holder.
• Researchers should add headers to requests such as X-HackerOne-Research: [H1 username]