Coordinated disclosure & rewards
Bug Bounty
We run a public bug-bounty program because zero-knowledge claims have to survive external scrutiny. If you find a vulnerability that puts user data at risk, we want to hear about it — and we will pay for the work.
Safe harbor
Security research performed in good faith and in accordance with this policy is authorized under DRIVUNO's Terms of Service. We will not initiate legal action against you, nor ask law-enforcement to do so, for accidental, good-faith violations of this policy. We waive any DMCA claims against research conducted under these rules.
If a third party initiates legal action against you for activity that complied with this policy, we will make it known publicly that your actions were authorized.
Rules of engagement
- • Test only against accounts you own. Use disposable email addresses you control.
- • Never access, modify, or exfiltrate data that does not belong to you. If you accidentally do, stop immediately and report it.
- • Do not run automated scanners that generate sustained load. A few requests per second is fine; a flood is not.
- • Do not publicly disclose a vulnerability before we have shipped a fix and agreed on a coordinated disclosure date (typically 90 days from triage).
- • One report per vulnerability. Aggregating multiple findings in one report delays everyone.
- • Include a clear, reproducible proof-of-concept. No PoC means we will likely close the report as "not enough information".
- • Report through the channel below — not via support, sales, or social media.
In scope
- drivuno.com and www.drivuno.com (production)
- drivuno.lovable.app (mirror)
- All HTTP endpoints under /api/ and all server functions
- Authentication, MFA, passkey, and recovery flows
- Zero-knowledge file storage, sharing, and mailbox flows
- Team / organization flows, including invitations and key rotation
- Backup and failover pipelines reachable from the public web
- Open-source crypto code in src/lib/crypto.ts and src/lib/teams.crypto.ts
Out of scope
- Findings requiring physical access to a victim's device
- Social-engineering of DRIVUNO staff or users
- DoS / volumetric attacks (use a synthetic account, no flood testing)
- Self-XSS, clickjacking on non-authenticated pages without impact
- Missing security headers without a demonstrated exploit
- Reports from automated scanners with no validated impact
- Email spoofing without DMARC/DKIM bypass on drivuno.com
- Vulnerabilities in third-party dependencies without a working PoC against DRIVUNO
- Issues only reproducible in unsupported browsers (>2 versions behind)
Rewards
Rewards are paid in EUR by bank transfer after triage and fix. The amounts below are guidance — exceptional reports (novel attack class, cryptographic break, supply-chain compromise) can pay significantly more, and we will say so up front.
| Severity | Reward range | Examples |
|---|---|---|
| Critical | €1,500 – €5,000 | Remote code execution on our infrastructure, recovery of plaintext file content from server-side data alone, full account takeover without user interaction, master-key recovery from server-stored material. |
| High | €500 – €1,500 | Cross-tenant data access bypassing RLS, authentication bypass requiring no user interaction, stored XSS in an authenticated context, decryption of public-share content without the fragment key. |
| Medium | €150 – €500 | Reflected XSS, CSRF on a state-changing endpoint, sensitive metadata leak across tenants, MFA bypass requiring partial credentials. |
| Low | €50 – €150 | Information disclosure with limited impact, rate-limit bypass without amplification, security-header misconfigurations with demonstrable effect. |
First-time researchers may be paid a flat triage bonus of €50 on top of the first valid report regardless of severity. Duplicate reports are awarded to whoever filed first.
How to report
What to include
- A short description of the vulnerability and its impact.
- Exact steps to reproduce, including the affected URL, endpoint, or RPC name.
- A minimal proof-of-concept (request, script, or short video).
- Any test accounts you created (we will purge them after triage).
- Your preferred name for the public acknowledgment, or "anonymous".
Our response timeline
- • Acknowledgement: within 3 business days.
- • Triage decision: within 10 business days (in/out of scope, severity).
- • Fix or mitigation: target 30 days for High/Critical, 90 days otherwise.
- • Reward payment: within 14 days of fix deployment.
- • Public acknowledgement: on the security changelog, with your chosen attribution.