Responsible Vulnerability Disclosure

Responsible Vulnerability Disclosure

Dwellsy Vulnerability Disclosure & Bug Bounty

Our Commitment

Dwellsy is committed to protecting renters and property partners. We welcome responsible disclosure of security vulnerabilities that could impact our users or systems.

This is a lean program run by a small team. Its primary goal is to identify and remediate meaningful security issues, not to maximize the number of reports or provide a primary income source for researchers. We reward impactful, well-documented findings that are clearly in scope; broad scanning and low-signal submissions are unlikely to receive any recognition or reward.

Scope

In scope (examples):

  • Authentication/authorization flaws (account takeover, IDOR).

  • Stored or reflected XSS with meaningful impact.

  • Sensitive data exposure (customer data, credentials, secrets).

  • Server-side injection (SQLi, template injection), RCE.

  • Business-logic flaws with security impact (bypass of fees/controls, privilege escalation).

  • Misconfigurations leading to access to non-public data or systems.

Targets:

  • Dwellsy-owned web properties and APIs under dwellsy.com and its subdomains.

  • Other Dwellsy assets explicitly authorized by us in writing.

If you’re unsure whether something is in scope, email security@dwellsy.com before testing.

Out of Scope (Not Reward-Eligible)

We appreciate all reports, but the following are generally out of scope and not eligible for bounties:

  • Self-XSS.

  • Text injection / local DOM changes without security impact.

  • Email spoofing without a demonstrable exploit path.

  • Path disclosure/stack traces/verbose errors.

  • Fingerprinting, IPs, service banners of public services.

  • Non-critical CSRF (no state-changing impact).

  • Rate-limiting gaps, DoS/DDoS, spam or volumetric tests.

  • Mixed-content warnings; clickjacking on pages without sensitive actions.

  • Physical attacks, social engineering, phishing.

  • Non-sensitive file disclosure (e.g., robots.txt, .gitignore).

  • Brute force / credential stuffing without impact.

  • Issues on non-Dwellsy assets or third-party platforms we don’t control.

We may treat other low-risk, best-practice, or purely theoretical issues as informational only.

Researcher Rules of Engagement

To protect users and system stability:

  • No data exfiltration. If you encounter sensitive data, stop and report immediately.

  • No service degradation. Do not run high-volume scans or DoS tests.

  • No lateral movement or persistence.

  • Use test accounts only (do not access real user accounts).

  • Respect privacy. Do not store, share, or publish non-public data.

  • Allow a reasonable remediation window before any public disclosure.

  • Comply with applicable laws.

Safe Harbor: If you act in good faith and follow these rules, we will consider your research authorized for this program and will not pursue legal action.

How to Report

Email: security@dwellsy.com

Please include:

  • Title & impact (what an attacker can do; who/what is affected).

  • Affected asset(s) (URL/endpoint/version).

  • Reproduction steps (numbered, from a fresh session).

  • PoC artifacts (minimal exploit code, screenshots, requests/responses).

  • Severity rationale (CVSS or clear reasoning).

  • Suggested remediation (if available).

  • Your preferred contact details (for follow-up and, where applicable, recognition or optional rewards).

Submissions without clear impact and step-by-step reproduction are unlikely to qualify for further review, recognition, or rewards.

Triage & Response SLAs

  • Acknowledgement: within 7 business days.

  • Initial triage: within 21 business days (validation, scope, preliminary severity).

  • Status updates: at meaningful milestones (validation, fix in progress, remediation).

  • Disclosure: coordinated after validation and a reasonable remediation window.

Note: Timelines may vary based on complexity; we’ll communicate if more time is needed.

Recognition & Optional Rewards (Lean Program)

This is a discretionary, low-volume bug bounty program:

  • Our default response for valid, in-scope reports is thanks and recognition, not payment.

  • For a small number of high-impact, clearly exploitable vulnerabilities, Dwellsy may, at its sole discretion, offer a modest financial reward as a token of appreciation.

  • Bounties are not guaranteed for any report, even if valid and in scope.

  • We do not negotiate reward amounts.

  • Factors we consider include: impact, exploitability, blast radius, ease of abuse, systemic relevance, and report quality (clarity + PoC).

Where we do provide a financial token of thanks, we may use PayPal, Wise, or bank transfer (by exception). W-9/W-8BEN may be required. We cannot pay to sanctioned jurisdictions; minors require guardian consent.

Recognition: With your consent, we can list you in our Hall of Fame and/or provide a certificate or written acknowledgement.

Program Quality Controls

To keep the program effective and manageable:

  • Limit two (2) open submissions per researcher at a time; submit additional reports after triage.

  • One report per root cause; consolidate related endpoints.

  • No automated high-volume scanning.

  • We may close stale tickets after 7 days without researcher response.

  • We may pause or change rewards/terms at any time, including operating in “recognition-only” mode without financial rewards.

Anonymous Reports

Anonymous submissions are welcome. If you want eligibility for updates or any potential reward, include a contact method. We will not disclose your identity without your explicit permission.

Legal

Participation constitutes acceptance of these terms.

Dwellsy may adjust scope, rewards, and terms or pause/end the program at any time.
Bounties and recognition are discretionary; eligibility and amounts are final once determined by Dwellsy.
Do not access, modify, or destroy data you do not own.

Questions before testing or unsure about scope? Email security@dwellsy.com. Thank you for helping protect the Dwellsy community.