Policy · v1.0
Vulnerability Disclosure Policy
DRIVUNO welcomes coordinated security research. This policy describes how to report a vulnerability, what is in scope, and what you can expect from us.
How to report
Email security@drivuno.com.
We accept PGP-encrypted reports. Our key fingerprint and full key are published at /.well-known/security.txt.
Please include: a clear description, reproduction steps, impact assessment, and any relevant logs. Do not include third-party PII. Do not include exploit payloads against live user data.
In scope
- drivuno.com, www.drivuno.com, app subdomains, and any *.lovable.app production URL we operate.
- Authentication, session, and recovery flows.
- Cryptographic implementation issues in the frontend.
- Row-Level Security and authorization bypasses on backend RPCs.
- Stored XSS, SSRF on our APIs, and CSP bypass leading to script execution.
- Subdomain takeovers and DNS misconfigurations.
- Public sharing system, mailbox, and team folder isolation.
Out of scope
- Social engineering of DRIVUNO staff or users.
- Physical attacks against DRIVUNO offices or data center providers.
- Denial-of-service via volumetric traffic.
- Reports requiring root or local malware on a victim's device.
- Missing low-impact headers on non-authenticated marketing pages.
- Best-practice recommendations without a concrete impact.
- Self-XSS, clickjacking on pages with no state-changing actions, and CSRF on logout.
Safe harbor
Good-faith security research that follows this policy will not result in legal action from DRIVUNO. We ask that you: (a) avoid privacy violations, data destruction, and service degradation; (b) only interact with accounts you own or have explicit permission to test; (c) do not exfiltrate user data beyond the minimum needed to demonstrate impact; (d) keep the report confidential until we have remediated.
Response timeline
- Acknowledgement within 2 business days.
- Triage and severity assignment within 5 business days.
- Status update at least every 14 days until resolution.
- Public advisory (with credit, unless you ask otherwise) once a fix has been shipped.
Coordinated disclosure
We commit to crediting researchers in the security changelog unless they prefer anonymity, and to publishing a clear advisory describing the issue, affected versions, and remediation.