Security

We Run A Public Bug Bounty.

DeData operates on the assumption that adversarial researchers find bugs before we do. If you find one, we want to pay you for it. The policy below is binding — read the scope and safe-harbor sections before testing.

Reporting A Vulnerability

PGP Key
Available on request — email security@dedatalabs.org.
Triage SLA
Acknowledgement within 48 hours, severity assignment within 5 business days.
Disclosure
Coordinated disclosure after fix is deployed. Public credit on this page if you want it.

Scope

In Scope

  • api.dedatalabs.org

    Production API, including auth, billing, scrape orchestration, and admin endpoints.

  • dedatalabs.org

    Production marketing site and customer dashboard at the same origin.

  • Public Whois API

    The unauthenticated REST endpoint at api.dedatalabs.org/api/v1/public/whois.

Out Of Scope

  • Third-Party Services

    Stripe, Postmark, Cloudflare, Sentry, Vanta — report to those vendors directly.

  • Denial Of Service

    Volumetric or application-layer DoS against any DeData host.

  • Social Engineering

    Phishing or pretexting against DeData employees, contractors, or customers.

  • Physical Access

    Office, residence, mailroom, or any physical-access vector.

Safe Harbor

DeData adopts the disclose.io core safe-harbor terms. If you make a good-faith effort to comply with this policy, we will:

  • Consider your research authorized and not pursue legal action under the Computer Fraud and Abuse Act, the DMCA, or state computer-crime statutes.
  • Work with you to understand and resolve the issue quickly, without retaliation.
  • Not pursue civil action so long as you avoid privacy violations, destruction of data, or interruption of service.

This authorization extends only to the in-scope assets above. Third-party services have their own programs and we cannot authorize testing on them.

Severity & Reward

SeverityExamplesReward
P0 — CriticalAuthentication bypass, remote code execution, full database read.$1,000 – $5,000
P1 — HighCross-site scripting with session token theft, privilege escalation, IDOR exposing PII.$250 – $1,000
P2 — MediumCSRF on sensitive actions, reflected XSS without session impact, business-logic flaws.$50 – $250
P3 — InformationalBest-practice deviations, missing security headers, low-impact information disclosure.Thanks & Hall-Of-Fame Credit

Final reward is determined by severity, exploitability, and report quality. Duplicates are paid to the first reporter only.

Hall Of Fame

Researchers who have responsibly disclosed valid issues will be listed here, with their consent. Be the first — submit a report at security@dedatalabs.org.