Home/Responsible Disclosure

Responsible Disclosure

Dalwax values the security research community. If you've discovered a vulnerability, we want to hear from you.

Our Commitment

Dalwax is committed to the security of our systems, our clients' data, and the broader internet ecosystem. We welcome responsible security research and will not pursue legal action against researchers who follow this policy in good faith.

Scope

This policy applies to vulnerabilities discovered in:

  • dalwax.com and all subdomains
  • Dalwax Client Portal
  • Dalwax public APIs
  • Dalwax mobile applications

The following are out of scope: social engineering attacks against Dalwax employees, physical security assessments, denial-of-service attacks, third-party services and applications, and vulnerabilities in client environments.

Guidelines

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could degrade service availability
  • Do not publicly disclose vulnerabilities before we've had a reasonable opportunity to remediate (90 days)
  • Provide sufficient detail for us to reproduce and validate the vulnerability
  • Act in good faith to avoid privacy violations and service disruption

How to Report

Submit vulnerability reports to security@dalwax.com with:

  • Description of the vulnerability and potential impact
  • Steps to reproduce (including URLs, request/response data)
  • Screenshots or proof-of-concept code
  • Your contact information for follow-up

For sensitive reports, encrypt your email using our PGP key available at dalwax.com/.well-known/security.txt.

Our Response

  • Acknowledgment within 24 hours of receiving your report
  • Initial assessment and severity classification within 72 hours
  • Regular status updates during remediation
  • Credit in our security hall of fame (if desired)
  • Bug bounty rewards for qualifying vulnerabilities

Bug Bounty Rewards

Critical
$2,000–$10,000
High
$500–$2,000
Medium
$100–$500
Low
Recognition

Safe Harbor

Dalwax will not pursue civil or criminal action against researchers who comply with this policy. We consider security research conducted under this policy to be authorized under the Computer Fraud and Abuse Act (CFAA), the DMCA, and equivalent international laws.