Responsible Vulnerability Disclosure

Responsible Vulnerability Disclosure

Product Security

Dwellsy has a goal to prevent fraud in all forms, and have chosen to focus a Zero Fraud initiative to combating the various forms of fraud that are typically found in the real estate marketplace. To that end, we appreciate the work of security researchers, analysts, and hackers who would contribute their time and energy in notifying us of potential vulnerabilities in our products and services, as it helps to keep our customers safe and better protected from the sorts of harms common in the marketplace.

What can be reported?

You can report any security vulnerabilities or flaws that you have found on any of our products or services. Common examples include XSS scripting vulnerabilities, naive logic errors, or remote privilege escalations. We are happy to hear from you regarding any errors you encounter, but if you're inquiring about what is rewardable, the following matters would be considered out of scope:

  • Self XSS errors
  • Text injection / local DOM manipulation
  • Email spoofing issues
  • Path disclosure from descriptive errors
  • Fingerprint / IP / Banner disclosure of public services
  • Non-critical CSRF issues
  • Rate limiting / Denial of Service (DOS) / Distributed DOS failures
  • Mixed SSL content warnings
  • Physical / Social Engineering / Phishing exploits
  • Non-sensitive file disclosure (robots.txt, .gitignore, etc.)
  • Brute force issues

How to report?

Vulnerabilities should be disclosed to us via our FlowCrypt contact page. Take not of our https://flowcrypt.com/pub/dwellsysecurity

We will endeavor to respond and confirm receipt of the error as soon as we possibly can. Once we have looked into the issue and confirmed it, we will update you on the confirmation of the issue and discuss severity and payment.


Please do not exploit vulnerabilities that have been found

Please do not modify information on our systems

Please do not affect the deliverability of Dwellsy service to its customers through denial of service attacks or rate limiting bypasses

Please allow us a chance to respond before full disclosure.

Please acknowledge that despite doing rather big things, Dwellsy is still a really small team that is doing our best, and protecting our customers' sensitive information is very important to us.

Anonymous Reports

Yes, we're happy to accept anonymous reports, but it makes it hard for us to respond without some voluntarily provided information. That said, we are more than happy to oblige to keeping your identity as anonymous to others as you like. Or if you prefer, we're happy to award very public certificates of our appreciation. Your identity is yours to disclose, and a request to keep your identity between us will be honored.

If you are reporting vulnerabilities to us anonymously, please make sure to provide a way to reach you and know that we will not disclose that information without your express permission.