Security Vulnerability Disclosure Policy

Our Commitment

We take the security of our application seriously. We appreciate the efforts of security researchers who help us maintain the security and privacy of our users.

Scope

This policy applies to vulnerabilities in:

  • Our web application and associated services
  • Our APIs and backend systems
  • Any other systems or services we operate

Reporting a Vulnerability

If you discover a security vulnerability, please report it to us by:

Email: security@doulado.co

Please include the following information in your report:

  • A description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Any proof-of-concept code or screenshots (if applicable)
  • Your contact information for follow-up questions

What to Expect

When you report a vulnerability to us:

  1. Acknowledgment: We will acknowledge receipt of your report within 3 business days
  2. Communication: We will keep you informed of our progress as we investigate and address the issue
  3. Timeline: We aim to provide a meaningful response within 10 business days, including our evaluation and expected timeline for a fix
  4. Credit: With your permission, we will publicly acknowledge your responsible disclosure once the issue is resolved

Our Safe Harbor Commitment

We will not pursue legal action against researchers who:

  • Make a good faith effort to comply with this policy
  • Avoid violating the privacy of our users, disrupting our systems, or destroying data
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
  • Do not publicly disclose the vulnerability before we have had a reasonable time to address it

Guidelines for Researchers

We ask that you:

  • Do not test on our live application, and instead direct any testing to test.doulado.co
  • Do not access, modify, or delete user data without explicit permission
  • Do not perform attacks that could harm the reliability or integrity of our services (e.g., DDoS attacks)
  • Do not use social engineering or physical attacks against our employees or infrastructure
  • Do not publicly disclose the vulnerability until we have issued a fix and agreed on a disclosure timeline
  • Limit your testing to the minimum necessary to demonstrate the vulnerability

Out of Scope

The following are generally considered out of scope:

  • Theoretical vulnerabilities without demonstrated exploitability
  • Social engineering attacks
  • Denial of Service attacks
  • Spam or phishing attacks
  • Physical attacks against our facilities
  • Recently disclosed vulnerabilities (less than 30 days old) where we are already working on a fix

Disclosure Timeline

We request that you allow us:

  • 30 days minimum to investigate and respond to your report
  • 90 days to develop and deploy a fix before public disclosure
  • If more time is needed, we will work with you to establish a reasonable timeline

Questions?

If you have questions about this policy, please contact us at security@doulado.co