Responsible Disclosure
We value the security community and are committed to working with researchers to verify and fix potential vulnerabilities in a responsible way.
Purpose
The safety and security of our customers’ data, and the reliability of our products and services, are core priorities for DevGuardian. This policy explains how we work with security researchers to receive, assess, and remediate reports of potential vulnerabilities in a responsible way.
Scope
This policy applies to DevGuardian-owned services, websites, and software.
In scope (examples)
- Public-facing web applications and APIs operated by DevGuardian
- devguardian.site and subdomains owned and controlled by DevGuardian
- Authentication, authorization, and session management mechanisms
- Security controls that protect customer data and service availability
Out of scope (examples)
- Third-party services or platforms that DevGuardian does not control
- Social engineering attacks (phishing, vishing, etc.)
- Physical security attacks against DevGuardian, our employees, or customers
- Denial-of-service (DoS/DDoS) or any testing that degrades service for other users
- Automated vulnerability scans without prior coordination
If you are unsure whether a specific asset or test method is in scope, please contact us first before proceeding.
Report a Security Issue
If you believe you’ve discovered a security vulnerability in a DevGuardian website, service, or system, please let us know so we can investigate and fix the issue.
How to report
We accept vulnerability reports by email only so that you can safely include any supporting details and attachments. Send your report to team@devguardian.site with the subject line: “Security Issue Report – [short description]”.
Please include:
- A clear description of the issue and its potential impact
- The specific URL, endpoint, or system affected
- Exact steps to reproduce the issue (including any relevant parameters or test accounts)
- Expected vs. actual behavior
- Any supporting details such as screenshots, logs, or proof-of-concept code (attach these to your email)
Important: We do not provide any file upload forms on our website. If you need to share files, please attach them directly to your email.
While testing, please:
- Avoid accessing, modifying, or deleting data that does not belong to you
- Avoid actions that could degrade our services for other users
- Use test or demo accounts whenever possible
What to Expect from Us
After you submit a report by email, we will:
- Acknowledge receipt of your report as soon as reasonably possible
- Review and validate the issue
- Assess the severity and impact
- Work to remediate confirmed vulnerabilities
- Keep you updated on progress and notify you when the issue has been fixed
Response and resolution times may vary based on the complexity and impact of the issue, but we aim to treat all valid reports with urgency and respect.
Researcher Recognition
We currently do not offer monetary bug bounties.
However, we greatly appreciate the efforts of security researchers who help keep DevGuardian and our customers safe. With your explicit consent, we may recognize your contribution on a Security Researchers Hall of Fame section or page after a valid, non-duplicate vulnerability has been fixed.
Recognition may include:
- Your name or preferred alias
- An optional link (for example, a personal website or social profile)
- A brief, high-level description of the issue you reported
If you would like to be recognized, please indicate this in your email report and tell us the exact name/alias and link you’d like us to use.
Safe Harbor
DevGuardian will not pursue legal action against individuals who:
- Discover and report security issues in good faith
- Follow this Responsible Disclosure Policy
- Do not exploit a vulnerability beyond what is necessary to demonstrate its existence
- Do not access, modify, or destroy data that does not belong to them
- Give us a reasonable opportunity to remediate the issue before publicly disclosing any details
If you have any questions about whether your planned research is covered by this policy, please contact us at team@devguardian.site before you begin testing.