Bounty Sizes
Bounty sizes are determined at Dune’s sole discretion. We consider the severity and impact of the vulnerability as well as the quality of the submission. The rubric we use to determine bug bounties is as follows:Duplicate Submissions Policy
We value all security research, but we do not provide rewards for submissions that cover known issues already reported by other researchers or internally identified by our team. If your report is a duplicate, we will notify you of the status and appreciate your effort, but no bounty will be issued.Variations and Bypasses of Previously Reported Issues
If you discover a bypass or a variation of a previously reported vulnerability, this will typically be considered part of the same issue and not eligible for an additional full bounty. This applies especially to cases where:- A fix for a previously reported issue was incomplete or could be bypassed
- The vulnerability uses a similar technique with minor variations
- The vulnerability affects the same endpoint or feature
Out of Scope
The following classes of report are considered out of scope or below the payment threshold and will not be rewarded:- Externally leaked credentials. Issues stemming from stolen or compromised credentials (e.g. through malware, phishing, or credentials surfaced via third-party leak databases or web archives) do not qualify as vulnerabilities in our systems.
- Business-logic limit bypasses. Race conditions or other techniques used to exceed free-plan limits (team count, private content count, member count, etc.) without a security impact.
- Reflected text or HTML in non-sensitive contexts without script execution (often referred to as “content spoofing”).
- Public assets and installer scripts. Files we publish as public artifacts (installers, SDKs, documentation, marketing content) are intentionally public.
- Session-handling preferences that do not enable cross-user access (e.g. session lifetime, lack of forced re-login on profile changes).
- Missing security headers, TLS configuration concerns, and best-practice recommendations without a demonstrated exploit path.
- Reports generated by automated scanners without verification or a working proof of concept.
Bug Bounty Rules and Safe Harbor
By participating in this program, you agree to abide by the following rules to help us maintain a secure environment for all users.- Safe Harbor: We authorize participants to test and report vulnerabilities in our systems, provided they act with due care and in good faith to minimize harm or disruption to our users and services. Actions conducted in compliance with the rules and within the scope of this program are considered authorized, and we will not pursue legal action or report you for such activities. If a third party challenges your research, we will confirm that it was authorized under this program. This protection applies only to our systems and does not extend to third-party property. If you are unsure about the scope or your actions, please contact us for clarification.
- Ethical Conduct: Participants must adhere to the highest standards of ethical, good-faith behavior. We reserve the right to disqualify submissions from researchers who do not follow these rules or engage in unethical behavior.
- Responsible Reporting: Report findings directly to us via the designated form and provide sufficient details to reproduce and address the issue. Do not publicly disclose vulnerabilities before we have resolved them.
- No Social Engineering: Do not engage in social engineering or phishing attack on our users or employees.
- No Unauthorized Access to Data: Do not access, modify, or delete data that does not belong to you. Use separate test accounts.
- Original Work Only: All submissions must be the original work of the researcher. Submissions generated by AI or automation tools, or identical to previously submitted reports, will be disqualified. Researchers are responsible for thoroughly verifying their findings before submission to ensure their validity and uniqueness.
- No Partnership: Participation in this program does not create an employment or partnership relationship. Rewards are discretionary and provided without further obligations or benefits.
- Legal Compliance: Participation must not violate any applicable laws or regulations. Participants are responsible for reporting and paying any taxes owed on rewards received under this program. We do not withhold taxes or provide tax advice, but upon request, we may provide basic information about payments to assist with tax obligations.
- Sanctions: Rewards will not be issued to participants located in or associated with countries or regions subject to U.S., EU, or UN sanctions.