Bug Bounty

Policy

Dashtoon is on a mission to re-invent how comics creation and consumption, using generative AI technology. We want to disrupt and expand the creator economy around comic creation. Our vision sets us on a path to being the best in AI research, product design, content creation, and building the most innovative creator community.

Dashtoon welcomes security researchers to submit vulnerabilities in an ethical/responsible manner. Security researchers can send security vulnerabilities at email handle [email protected]

Program Rules

By participating in the Dashtoon bug bounty program, you agree to provide reports with sufficient detail and reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.Social engineering (e.g. phishing, vishing, smishing) is prohibited. Make a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service. Dashtoon employees are not permitted to participate in this bug bounty program. In case of any privacy violations, destruction of data or interruption or degradation of data or any breach of the terms and conditions of this bug bounty program, Dashtoon reserves its right to take appropriate action and / or report to regulatory authorities. Further no person or entity which has any form of pending criminal cases shall be eligible to participate in the program. Dashtoon shall be entitled to seek necessary information / documents / declaration in this regard before disbursal of bug bounty rewards.

Response Targets

Dashtoon will make the best effort to meet the following service level agreement (SLAs) for hackers participating in our program:

‍Type of Response (SLA in business days)

First Response - 2 days
Time to Triage - 3 days
Time to Bounty -14 days
Time to Resolution - depends on severity and complexity

We’ll do our best to keep you informed about our progress throughout the process.

Scope

The current scope is limited to:
dashtoon.com
studio.dashtoon.ai
Dashtoon Android/iOS application

Rewards Structure

Low upto INR 5,000
Medium upto INR 10,000
‍High upto INR 30,000
Critical upto INR 60,000

By default, we categorise reports with the CVSS v3.0 calculator. However, we may increase or decrease the severity given by the calculator, as for certain types of vulnerabilities, the calculator score does not reflect the reality very well. We shall endeavour to define and pay bounties within 30 days after verifying the severity of the issue, or when the issue is resolved.

Program Access Requirements

While doing security assessment, we request all researchers to append below headers in requests: X-Dashtoon-BugBounty: [your email address]

Out of scope vulnerabilities

The following issues are considered out of scope: ‍

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or brute force issues on non-authentication endpoints
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction e.g. installing the malicious app into a user’s device.

Prohibited Activities

DDoS
Gaining access to user accounts and modifying the information is strictly prohibited. You should always use your own user accounts across Dashtoon to showcase/find the vulnerability. Refrain from testing on any user account which doesn’t belong to you.
Don’t dump any information of users/sellers using a vulnerability that has been discovered.

Disclosure Policy

We don’t allow public disclosures. Please get written permission from our team before any disclosure. Public disclosures are at Dashtoon's discretion only.

Suggestions

‍Have suggestions about this policy? Send us a note on swith the subject “Suggestion on bug bounty program”. Suggestions on the reward amounts will be ignored. Anything else is gladly welcomed.