Vulnerability Disclosure Policy

1. Introduction

At Sky Dust, we take the security of our platform (skydust.app) and website (skydust.io) seriously. We value the contributions of security researchers and the broader community to help identify vulnerabilities. This policy outlines how to report vulnerabilities and what you can expect from us.


2. Scope

This policy applies to the Skydust platform (skydust.app) and website (skydust.io). We encourage the reporting of vulnerabilities related to:

  • Authentication or authorization flaws
  • Data leaks or exposure
  • Cross-site scripting (XSS)
  • SQL injection
  • Remote code execution


Out of Scope:

  • Issues related to third-party services or software
  • Denial of Service (DoS) attacks
  • Physical security issues
  • Social engineering attacks
  • Low-Risk Issues: Non-exploitable vulnerabilities, including issues related to outdated browsers or minor security misconfigurations, are also out of scope


3. Reporting a Vulnerability

How to Report: Please send a detailed description of the vulnerability to our security team at security@skydust.io. Include the following:

  • A clear description of the issue
  • Steps to reproduce the vulnerability
  • Potential impact of the vulnerability
  • Any supporting screenshots or videos


What We Expect:

  • Confidentiality: Do not publicly disclose the vulnerability until we have resolved the issue.
  • Compliance: Avoid any actions that could disrupt our services, access personal data, or damage our systems.
  • Legal Boundaries: Ensure that your testing is conducted within the legal boundaries and adheres to our terms and conditions.


4. Our Commitment

  • Response Time: We will acknowledge your report within 5 business days.
  • Resolution Time: We aim to resolve valid vulnerabilities within 30 days. We will keep you updated on the progress.
  • No Legal Action: As long as you follow this policy and report vulnerabilities responsibly, we will not initiate legal action against you.
  • Recognition: We may publicly acknowledge your contribution if you wish, once the vulnerability is resolved.


5. Legal Protections

  • Good Faith Testing: We recognize testing done in good faith as a valuable contribution to our security.
  • No Compensation: While we greatly appreciate your efforts, we currently do not offer monetary rewards for vulnerability reports.
  • Data Protection: Any data you may encounter during your research must not be disclosed to third parties and must be securely deleted after reporting the vulnerability.


6. Contact Information

If you have any questions about this policy or need further clarification, please contact us at security@skydust.io.