Dualog recognises that the security community is a force in our quest to provide a safe and secure experience for Dualog's customers.
Our Vulnerability Disclosure Program aims to enable us to keep a high standard with regards to security in all our products and digital services, on-premises, throughout our operations and in the cloud environment. Please remember that only security vulnerabilities will qualify. To ensure that your observations are properly reported you shall use only approved channels, namely, you should report discovered vulnerability via email to firstname.lastname@example.org.
Your submission will be reviewed and validated by a member of the Product Security Incident Response Team.
We accept only manual or semi-manual tests. We will consider all findings coming from automated tools or scripts as out of scope. Furthermore, issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope. We reserve our right not to act in case of findings with no real risk impact on our data integrity and security. All researches violating our Terms of Service and GDPR-related documentation as well as governing law shall be treated as acting in bad faith and thus illegal.
Dualog will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.
We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.
Any activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you.
If you have any questions, please feel free to contact our CISO Geir Inge Jensen or send an inquiry to email@example.com