If you believe you have discovered a security issue within our web application or API, we highly encourage you to report it to us. We appreciate the efforts of ethical hackers and reward those who responsibly disclose vulnerabilities. Please submit any vulnerability or bug discovered via this form: https://forms.gle/NTK3FGMYRsAWKkY4A Please note, it is essential to provide a video or script reproducing the issue. This greatly speeds up our understanding of the issue. We do not accept email submissions of vulnerabilities. All reports must go through the form above to ensure they are tracked and processed appropriately. We aim to review and respond to submissions within 14 days. While we understand your eagerness to hear back, emailing us for updates will not speed up the review process. We appreciate your patience and cooperation as we work through each submission thoroughly. Repeated inquiries for updates via email may result in disqualification of the submission to ensure fairness and efficiency for all participants. We value transparency and will work with you to resolve any legitimate issues found. Your efforts help us maintain the security and trustworthiness of our platform. Thank you for your contribution to our security.

Bounty Sizes

Bounty sizes are determined at Dune’s sole discretion. We consider the severity and impact of the vulnerability as well as the quality of the submission. The rubric we use to determine bug bounties is as follows:
LevelExampleMaximum Bug Bounty
6. SevereUnauthorized access to any part of the platform - Ability to delete or manipulate user data or analyticsLet’s talk
5. CriticalUnauthorized ability to execute arbitrary code on the server- Exploiting API endpoints to access restricted dataUp to $5,000
4. HighSQL injection leading to data exfiltration- Bypassing authentication mechanismsUp to $2,500
3. MediumCross-site scripting (XSS)- CSRF that affects user accountsUp to $1,000
2. LowSecurity misconfigurations- Information leakage (server info, stack traces)Up to $250
1. InfoSuggestions for improvements or best practices

Duplicate Submissions Policy

We value all security research, but we do not provide rewards for submissions that cover known issues already reported by other researchers or internally identified by our team. If your report is a duplicate, we will notify you of the status and appreciate your effort, but no bounty will be issued.

Variations and Bypasses of Previously Reported Issues

If you discover a bypass or a variation of a previously reported vulnerability, this will typically be considered part of the same issue and not eligible for an additional full bounty. This applies especially to cases where:
  • A fix for a previously reported issue was incomplete or could be bypassed
  • The vulnerability uses a similar technique with minor variations
  • The vulnerability affects the same endpoint or feature
We encourage researchers to thoroughly test our fixes and report bypasses, but these will generally be bundled with the original report for bounty considerations. In some cases, at our discretion, we may offer a smaller reward for significant bypasses that require substantial new techniques.

Misuse of Stolen Credentials

We value all security research, but issues stemming from stolen or compromised credentials (e.g., through malware or phishing attacks on user browsers) do not qualify as vulnerabilities in our systems and are therefore not eligible for a bounty. While these reports highlight potential risks, the security of user credentials lies outside the scope of this program.

Bug Bounty Rules and Safe Harbor

By participating in this program, you agree to abide by the following rules to help us maintain a secure environment for all users.
  • Safe Harbor: We authorize participants to test and report vulnerabilities in our systems, provided they act with due care and in good faith to minimize harm or disruption to our users and services. Actions conducted in compliance with the rules and within the scope of this program are considered authorized, and we will not pursue legal action or report you for such activities. If a third party challenges your research, we will confirm that it was authorized under this program. This protection applies only to our systems and does not extend to third-party property. If you are unsure about the scope or your actions, please contact us for clarification.
  • Ethical Conduct: Participants must adhere to the highest standards of ethical, good-faith behavior. We reserve the right to disqualify submissions from researchers who do not follow these rules or engage in unethical behavior.
  • Responsible Reporting: Report findings directly to us via the designated form and provide sufficient details to reproduce and address the issue. Do not publicly disclose vulnerabilities before we have resolved them.
  • No Social Engineering: Do not engage in social engineering or phishing attack on our users or employees.
  • No Unauthorized Access to Data: Do not access, modify, or delete data that does not belong to you. Use separate test accounts.
  • Original Work Only: All submissions must be the original work of the researcher. Submissions generated by AI or automation tools, or identical to previously submitted reports, will be disqualified. Researchers are responsible for thoroughly verifying their findings before submission to ensure their validity and uniqueness.
  • No Partnership: Participation in this program does not create an employment or partnership relationship. Rewards are discretionary and provided without further obligations or benefits.
  • Legal Compliance: Participation must not violate any applicable laws or regulations. Participants are responsible for reporting and paying any taxes owed on rewards received under this program. We do not withhold taxes or provide tax advice, but upon request, we may provide basic information about payments to assist with tax obligations.
  • Sanctions: Rewards will not be issued to participants located in or associated with countries or regions subject to U.S., EU, or UN sanctions.