Skip to main content
If you believe you have discovered a security issue within our web application or API, we highly encourage you to report it to us. We appreciate the efforts of ethical hackers and reward those who responsibly disclose vulnerabilities. Please submit any vulnerability or bug discovered via this form: https://forms.gle/NTK3FGMYRsAWKkY4A Please note, it is essential to provide a video or script reproducing the issue. This greatly speeds up our understanding of the issue. We do not accept email submissions of vulnerabilities. All reports must go through the form above to ensure they are tracked and processed appropriately. Due to the high volume of submissions we receive, we only provide responses to reports that result in a payout. If you do not hear back from us within one month, you can assume that your submission has been classified as informational or duplicate. Emailing us for updates will not speed up the review process, and repeated inquiries may result in disqualification. We value transparency and will work with you to resolve any legitimate issues found. Your efforts help us maintain the security and trustworthiness of our platform. Thank you for your contribution to our security.

Bounty Sizes

Bounty sizes are determined at Dune’s sole discretion. We consider the severity and impact of the vulnerability as well as the quality of the submission. The rubric we use to determine bug bounties is as follows:
LevelMental modelExampleMaximum Bug Bounty
5. SevereThe platform is compromisedRemote code execution on Dune-operated servers · Access to internal infrastructure, secrets, or databases · Mass extraction or destruction of customer data across tenants · SQL injection enabling cross-tenant data access · Theft of customer fundsLet’s talk
4. CriticalAny user can be compromisedFull account takeover of arbitrary users · Exploiting application or API endpoints to read another user’s restricted data · Privilege escalation within the application (e.g. non-admin gaining admin rights on a team they don’t own)Up to $5,000
3. HighA specific user is compromised, with bounded scopeSQL injection enabling exfiltration of another user’s data · Authentication bypass with limited or single-account scope (e.g. bypassing a specific check rather than logging in as anyone) · Ability to delete or manipulate another user’s data or analytics · Auth/OAuth flaws enabling theft of authorization codes or session tokens from other usersUp to $2,500
2. MediumA user is impacted with limited reachStored or reflected cross-site scripting (XSS) with script execution in an authenticated context · CSRF affecting user accounts · Authenticated IDOR exposing other users’ non-public data · Business-logic flaws with a realistic abuse path beyond plan-limit bypassesUp to $1,000
1. InfoNo demonstrated user impactSuggestions, hardening recommendations, security misconfigurations without a demonstrated impact, server info or stack traces with no path to exploitNo bounty

Duplicate Submissions Policy

We value all security research, but we do not provide rewards for submissions that cover known issues already reported by other researchers or internally identified by our team. If your report is a duplicate, we will notify you of the status and appreciate your effort, but no bounty will be issued.

Variations and Bypasses of Previously Reported Issues

If you discover a bypass or a variation of a previously reported vulnerability, this will typically be considered part of the same issue and not eligible for an additional full bounty. This applies especially to cases where:
  • A fix for a previously reported issue was incomplete or could be bypassed
  • The vulnerability uses a similar technique with minor variations
  • The vulnerability affects the same endpoint or feature
We encourage researchers to thoroughly test our fixes and report bypasses, but these will generally be bundled with the original report for bounty considerations. In some cases, at our discretion, we may offer a smaller reward for significant bypasses that require substantial new techniques.

Out of Scope

The following classes of report are considered out of scope or below the payment threshold and will not be rewarded:
  • Externally leaked credentials. Issues stemming from stolen or compromised credentials (e.g. through malware, phishing, or credentials surfaced via third-party leak databases or web archives) do not qualify as vulnerabilities in our systems.
  • Business-logic limit bypasses. Race conditions or other techniques used to exceed free-plan limits (team count, private content count, member count, etc.) without a security impact.
  • Reflected text or HTML in non-sensitive contexts without script execution (often referred to as “content spoofing”).
  • Public assets and installer scripts. Files we publish as public artifacts (installers, SDKs, documentation, marketing content) are intentionally public.
  • Session-handling preferences that do not enable cross-user access (e.g. session lifetime, lack of forced re-login on profile changes).
  • Missing security headers, TLS configuration concerns, and best-practice recommendations without a demonstrated exploit path.
  • Reports generated by automated scanners without verification or a working proof of concept.

Bug Bounty Rules and Safe Harbor

By participating in this program, you agree to abide by the following rules to help us maintain a secure environment for all users.
  • Safe Harbor: We authorize participants to test and report vulnerabilities in our systems, provided they act with due care and in good faith to minimize harm or disruption to our users and services. Actions conducted in compliance with the rules and within the scope of this program are considered authorized, and we will not pursue legal action or report you for such activities. If a third party challenges your research, we will confirm that it was authorized under this program. This protection applies only to our systems and does not extend to third-party property. If you are unsure about the scope or your actions, please contact us for clarification.
  • Ethical Conduct: Participants must adhere to the highest standards of ethical, good-faith behavior. We reserve the right to disqualify submissions from researchers who do not follow these rules or engage in unethical behavior.
  • Responsible Reporting: Report findings directly to us via the designated form and provide sufficient details to reproduce and address the issue. Do not publicly disclose vulnerabilities before we have resolved them.
  • No Social Engineering: Do not engage in social engineering or phishing attack on our users or employees.
  • No Unauthorized Access to Data: Do not access, modify, or delete data that does not belong to you. Use separate test accounts.
  • Original Work Only: All submissions must be the original work of the researcher. Submissions generated by AI or automation tools, or identical to previously submitted reports, will be disqualified. Researchers are responsible for thoroughly verifying their findings before submission to ensure their validity and uniqueness.
  • No Partnership: Participation in this program does not create an employment or partnership relationship. Rewards are discretionary and provided without further obligations or benefits.
  • Legal Compliance: Participation must not violate any applicable laws or regulations. Participants are responsible for reporting and paying any taxes owed on rewards received under this program. We do not withhold taxes or provide tax advice, but upon request, we may provide basic information about payments to assist with tax obligations.
  • Sanctions: Rewards will not be issued to participants located in or associated with countries or regions subject to U.S., EU, or UN sanctions.