DMHubLast updated: May 2026

Responsible Disclosure Policy

Effective May 2026

Overview

DMHub Inc. (“DMHub”, “we”, “us”) takes the security of our platform seriously. We appreciate the work of security researchers who help us protect our customers. This policy describes how to report vulnerabilities responsibly and the protections we offer researchers who do so in good faith.

If you believe you have found a security vulnerability in any DMHub product or infrastructure, please report it to us following the guidelines below. We commit to working with you to understand and address the issue promptly.

Scope

The following systems and services are in scope for responsible disclosure:

  • dmhub.ai and all subdomains (app.dmhub.ai, api.dmhub.ai, etc.)
  • DMHub APIs — REST and webhook endpoints documented at dmhub.ai/docs/api
  • DMHub mobile applications (iOS and Android, where available)
  • DMHub open-source libraries published under the DMHub GitHub organization
  • Authentication and authorization systems — login, session management, OAuth flows, 2FA

Vulnerability classes of particular interest include: authentication bypasses, privilege escalation, SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), remote code execution, insecure direct object references (IDOR), and data leakage.

Out of Scope

The following are not in scope and should not be tested:

  • Third-party services, vendors, or sub-processors (report directly to them)
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks — any testing that degrades service availability
  • Physical security of DMHub offices or data centers
  • Social engineering or phishing attacks against DMHub employees or customers
  • Automated scanning that generates excessive traffic
  • Vulnerabilities in end-user browsers, operating systems, or devices not related to our platform
  • Self-XSS that requires the victim to take unlikely actions
  • Missing security headers that do not lead to a practical exploit (e.g., missing X-Content-Type-Options alone)
  • Rate limiting on non-sensitive endpoints

Safe Harbor

DMHub will not pursue civil or criminal action against researchers who discover and report security vulnerabilities in good faith, provided that the researcher:

  • Follows this policy and does not violate any applicable law
  • Does not access, exfiltrate, modify, or destroy data belonging to other users without their explicit consent
  • Does not degrade the availability of DMHub services to other users
  • Does not disclose the vulnerability publicly until DMHub has had a reasonable opportunity to address it (see Response SLA below)
  • Acts in good faith and with the intent of improving security, not causing harm

We consider activities conducted consistent with this policy to constitute “authorized access” under the Computer Fraud and Abuse Act (CFAA) and equivalent laws. We will not bring or support a claim under the DMCA for security research conducted within the scope of this policy.

How to Report

Send vulnerability reports to security@dmhub.ai. Please include:

  • Description — clear description of the vulnerability, including the attack class (e.g., IDOR, XSS, SQLi)
  • Steps to reproduce — detailed step-by-step instructions, including any relevant URLs, request/response bodies, or screenshots
  • Impact — who can exploit this, what data or actions are affected
  • Evidence — proof-of-concept code or screenshots where applicable. Do not include actual customer PII in your report.
  • Your contact details — so we can follow up with questions and provide credit if desired

You may encrypt your report using our PGP key, available at https://www.dmhub.ai/.well-known/pgp-key.txt (requested upon contact).

Do not report vulnerabilities through GitHub issues, social media, or support tickets — these channels are not monitored by our security team.

Response SLA

We commit to the following timelines once a report is received:

  • Acknowledgment: within 2 business days
  • Initial assessment: within 5 business days
  • Remediation timeline: within 30 days for critical/high severity, 90 days for medium/low severity
  • Disclosure coordination: we will notify you before publishing a fix and coordinate public disclosure timing with you

If you have not received an acknowledgment within 2 business days, please follow up to ensure your report was received.

We ask that researchers refrain from public disclosure until 90 days have elapsed from the date of acknowledgment, or until we have released a fix, whichever comes first. If we require more time due to complexity, we will communicate this proactively and work with you to agree on an extended timeline.

Recognition

DMHub does not currently operate a paid bug bounty program. However, we offer the following to researchers who responsibly disclose valid vulnerabilities:

  • Public acknowledgment on our security hall of fame (with your permission)
  • A letter of recognition for your portfolio or employer
  • For critical/high severity findings that protect customer data: complimentary DMHub Pro subscription (12 months)

We reserve the right to determine severity and eligibility for recognition at our discretion.

Contact

Security team: security@dmhub.ai

For general security questions or to request a completed security questionnaire, you may also reach us at the same address.

This policy is reviewed and updated annually. Changes are noted by the “Last updated” date at the top of this page.

Questions about this document? privacy@dmhub.ai

← Back to DMHub
Responsible Disclosure Policy | DMHub