We believe that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.

Response Targets

Doppler will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 1 days |

| Time to Triage | 2 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Register all accounts using your <username>+x@wearehackerone.com address.

• Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding

• A Proof of Concept (PoC) is required for all reports

• We will inform you of remediation and may ask you to help confirm the fix

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Register all accounts using your <username>+x@wearehackerone.com address.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be considered valid.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Please keep account creation for this program to no more than 3 accounts.

Out of scope vulnerabilities

The following issues are considered out of scope:

• Attacks requiring MITM or physical access to a user's device.

• Attacks requiring attacker control over a user's email account

• Previously known vulnerable libraries without a working Proof of Concept.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Tabnabbing

• Issues that require unlikely user interaction

Common reports

The following issues are those which we commonly receive reports for and should not be reported. These reports will be closed as invalid:

• MFA bypass when using Google Auth/SAML (intended behavior)

• Referral credit accumulation using enumerated/deleted accounts (accepted risk)

Exclusions

While researching, please refrain from:

• Denial of service

• Brute forcing

• Spamming

• Social engineering (including phishing) of Doppler staff, contractors, or customers

• Any physical attempts against Doppler property or data centers

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Doppler and our users safe!