$ dfa.machine
Policies · Policy 10

Responsible Disclosure

We welcome reports from security researchers acting in good faith. This policy explains the rules of engagement and our commitments back to you.

1. Scope

In scope: *.dfamachine.com, the customer portal, public APIs documented at api.dfamachine.com and our mobile apps. Out of scope: third-party SaaS we use (report directly to the vendor), denial-of-service attacks, social engineering of our staff, physical attacks, and any test that degrades availability for other customers.

2. How to report

Email contact@dfamachine.com with subject "Security · Disclosure". Encrypt with our PGP key (fingerprint F1A2 3B4C 5D6E 7F80 91A2 B3C4 D5E6 F708 19AB CDEF) if the report contains sensitive details or exploit code. A /.well-known/security.txt file is published with the latest contact details.

3. What to include

  • A clear technical description of the vulnerability and its impact.
  • Step-by-step reproduction instructions or proof-of-concept.
  • Affected URL(s), parameter(s) and timestamps.
  • Your contact details and whether you wish to be credited.

4. Our commitments

  • Acknowledge your report within 1 business day.
  • Provide a triage decision and severity rating within 5 business days.
  • Keep you informed of remediation progress at agreed intervals.
  • Credit you in our hall of fame on request once the fix is shipped.
  • Pay a discretionary bounty for high-impact, novel findings (subject to local law). We do not currently run a public paid programme.

5. Safe harbour

If you act in good faith, follow this policy, give us reasonable time to remediate, do not access more data than necessary to prove a vulnerability, do not disrupt or degrade service, and do not disclose the issue publicly before we agree, we will:

  • Consider your activities authorised under the Computer Misuse Act 1990 and equivalent EU computer-misuse laws.
  • Not pursue or support any legal action against you.
  • Work in good faith to resolve any inadvertent breach you disclose to us in your report.

6. Rules of engagement

  • Use only test accounts you create yourself, or accounts you have written permission to test.
  • Do not run automated scanners against production endpoints at high rates — coordinate with us first.
  • Do not access, modify, exfiltrate or destroy customer data. If you accidentally encounter customer data, stop, delete your copy and tell us immediately.
  • Do not perform tests that could degrade service for other users.
  • Comply with all applicable laws.

7. Disclosure timeline

Our default is 90 days coordinated disclosure from triage. We may agree shorter or longer timelines depending on severity and complexity. Public write-ups are welcome once the fix has been deployed and credit, if any, has been agreed.

8. Hall of fame

We publish acknowledgements for researchers who have helped improve our security at dfamachine.com/security/hall-of-fame (with permission).