search
Log inBook a demo

bugVulnerability Disclosure Program

Dispel is committed to maintaining the security, integrity, and availability of our systems, products, and services. We recognize that security researchers and members of the broader cybersecurity community play an important role in identifying vulnerabilities. We welcome responsible, good-faith research conducted in a manner that protects our customers and our operational environments.

hashtag
Scope

This program applies to specific publicly accessible systems, services, applications, APIs, and websites owned and operated by Dispel, including dispel.com related subdomains, as well as Dispel-developed software and hosted services.

The specific services in-scope are:

  • dashboard.dispel.io

  • app.dispel.com

  • api.dispel.com

These services are not in-scope:

  • dispel.com

  • status.dispel.com

  • docs.dispel.com

  • help.dispel.io

Customer-managed environments, third-party systems, social engineering, physical intrusion, denial-of-service activity, automated scanning that degrades performance, and any testing that could disrupt operational or safety-critical systems are not authorized under this program.

hashtag
How to Report a Vulnerability

If you believe you have identified a security vulnerability, please report it to:

[email protected]

To help us assess the issue efficiently, please include:

  • A description of the vulnerability

  • The affected system or URL

  • Steps to reproduce the issue

  • Any supporting evidence or proof-of-concept

  • Your contact information

If submitting sensitive information, encrypted communication is encouraged.

hashtag
Our Commitment

When a report is submitted in good faith and in accordance with this program, Dispel will:

  • Acknowledge receipt within a reasonable timeframe

  • Validate and assess the reported issue

  • Prioritize remediation based on risk and impact

  • Work toward timely resolution

  • Coordinate public disclosure when appropriate

Resolution timelines may vary depending on complexity, operational considerations, and safety impacts.

Dispel supports coordinated vulnerability disclosure. We request that researchers refrain from public disclosure until we have had a reasonable opportunity to investigate and remediate the issue. When appropriate, we may coordinate on the timing and content of public communications. In circumstances where there is evidence of active exploitation or material risk, Dispel may act to disclose information in a manner intended to protect customers and affected parties.

Dispel will not initiate legal action against individuals who identify and report vulnerabilities in good faith, comply with this policy, avoid harm, and provide us a reasonable opportunity to address the issue. This safe harbor does not extend to actions that violate applicable law, compromise privacy, disrupt services, or exceed the boundaries of authorized testing described here.

hashtag
Researcher Expectations

Researchers must act in good faith and avoid actions that could compromise data confidentiality, system integrity, service availability, or safety. Testing should be limited to what is necessary to demonstrate the presence of a vulnerability. Accessing, modifying, or exfiltrating data that does not belong to you is not authorized. If you inadvertently access sensitive information, you must cease testing immediately and notify Dispel without retaining, copying, or disclosing the data.

Participants in this program must:

  • Act in good faith and avoid causing harm

  • Test only in-scope systems

  • Avoid accessing, modifying, or retaining data that does not belong to them

  • Cease testing immediately if unintended sensitive data is accessed and report it promptly

  • Refrain from public disclosure until Dispel has had a reasonable opportunity to investigate and remediate

hashtag
Safe Harbor

Dispel will not pursue legal action against researchers who comply with this program and conduct testing in good faith. This safe harbor applies only to activities consistent with this policy and does not extend to unlawful conduct, privacy violations, service disruption, or testing outside defined scope.

hashtag
Recognition

Dispel does not operate a public bug bounty program. Recognition for responsible disclosures may be provided at our discretion.

Security reports should be directed to [email protected]envelope. For general legal inquiries, please contact [email protected]envelope.

We appreciate the efforts of the security research community and value responsible collaboration in protecting the cyber-physical systems and environments our customers rely on.

PreviousModern Slavery Act StatementNextExport Compliance

Last updated