# Vulnerability Disclosure Program Dispel is committed to maintaining the security, integrity, and availability of our systems, products, and services. We recognize that security researchers and members of the broader cybersecurity community play an important role in identifying vulnerabilities. We welcome responsible, good-faith research conducted in a manner that protects our customers and our operational environments. ### Scope This program applies to specific publicly accessible systems, services, applications, APIs, and websites owned and operated by Dispel, including dispel.com related subdomains, as well as Dispel-developed software and hosted services. The specific services in-scope are: * dashboard.dispel.io * app.dispel.com * api.dispel.com These services are *not* in-scope: * dispel.com * status.dispel.com * docs.dispel.com * help.dispel.io Customer-managed environments, third-party systems, social engineering, physical intrusion, denial-of-service activity, automated scanning that degrades performance, and any testing that could disrupt operational or safety-critical systems are not authorized under this program. ### How to Report a Vulnerability If you believe you have identified a security vulnerability, please report it to: **** To help us assess the issue efficiently, please include: * A description of the vulnerability * The affected system or URL * Steps to reproduce the issue * Any supporting evidence or proof-of-concept * Your contact information If submitting sensitive information, encrypted communication is encouraged. ### Our Commitment When a report is submitted in good faith and in accordance with this program, Dispel will: * Acknowledge receipt within a reasonable timeframe * Validate and assess the reported issue * Prioritize remediation based on risk and impact * Work toward timely resolution * Coordinate public disclosure when appropriate Resolution timelines may vary depending on complexity, operational considerations, and safety impacts. Dispel supports coordinated vulnerability disclosure. We request that researchers refrain from public disclosure until we have had a reasonable opportunity to investigate and remediate the issue. When appropriate, we may coordinate on the timing and content of public communications. In circumstances where there is evidence of active exploitation or material risk, Dispel may act to disclose information in a manner intended to protect customers and affected parties. Dispel will not initiate legal action against individuals who identify and report vulnerabilities in good faith, comply with this policy, avoid harm, and provide us a reasonable opportunity to address the issue. This safe harbor does not extend to actions that violate applicable law, compromise privacy, disrupt services, or exceed the boundaries of authorized testing described here. ### Researcher Expectations Researchers must act in good faith and avoid actions that could compromise data confidentiality, system integrity, service availability, or safety. Testing should be limited to what is necessary to demonstrate the presence of a vulnerability. Accessing, modifying, or exfiltrating data that does not belong to you is not authorized. If you inadvertently access sensitive information, you must cease testing immediately and notify Dispel without retaining, copying, or disclosing the data. Participants in this program must: * Act in good faith and avoid causing harm * Test only in-scope systems * Avoid accessing, modifying, or retaining data that does not belong to them * Cease testing immediately if unintended sensitive data is accessed and report it promptly * Refrain from public disclosure until Dispel has had a reasonable opportunity to investigate and remediate ### Safe Harbor Dispel will not pursue legal action against researchers who comply with this program and conduct testing in good faith. This safe harbor applies only to activities consistent with this policy and does not extend to unlawful conduct, privacy violations, service disruption, or testing outside defined scope. ### Recognition Dispel does not operate a public bug bounty program. Recognition for responsible disclosures may be provided at our discretion. *** Security reports should be directed to . For general legal inquiries, please contact . We appreciate the efforts of the security research community and value responsible collaboration in protecting the cyber-physical systems and environments our customers rely on. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://legal.dispel.com/ethics-and-responsibility/legal/vulnerability-disclosure-program.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.