Dashlane recognizes the importance of security researchers in helping keep our
community safe. We encourage responsible disclosure of security
vulnerabilities via our bug bounty program described on this page. If you
believe you've found a security bug in our service, we are happy to work with
you to resolve the issue promptly and ensure you are fairly rewarded for your
Coordinated Disclosure Guidelines
- Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.
- Provide us a reasonable amount of time to respond and/or fix the issue.
- Make a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
- Please refrain from automated/scripted account creation.
At this time, the scope of our bug bounty program includes ::
- The autofill/autologin ability of our extensions : Especially any vulnerability that could allow a remote attacker to force the extensions to send credentials to a rogue site.
- Our website, www.dashlane.com __, in particular:
- Our APIs endpoints:
- The native client applications on Mac OS and Windows.
- The native client application on IOS
- The native client application on Android
- Our standalone extensions (chrome, edge, FF), see the asset section.
- The business features (SAML, Group sharing, Emergency, etc.).
Dashlane may provide rewards to eligible reporters of qualifying
vulnerabilities. Our minimum reward is $100 USD, but reward amounts may vary
depending upon the severity of the vulnerability reported. Dashlane reserves
the right to decide if the minimum severity threshold is met and whether it
was previously reported.
To qualify for a reward under this program, you should:
- Be the first to report a specific vulnerability.
- Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
- Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties -- including vulnerability brokers -- before we addressed your report will forfeit the reward.
- Don't use youtube or any public service even unlisted to post videos
- Create one report by vulnerability
- All the hosts not listed bellow (please don't send reports for unlisted hosts)
- Content spoofing (urls in invites, etc.)
- Missing security headers which do not lead directly to a vulnerability
- Self inflicted XSS
- Missing best practices (we require evidence of a security vulnerability)
- Missing cookie flags on non-sensitive cookies
- Any report that discusses how you can learn whether a email address has a Dashlane account.
- Disclosure of tools, libraries used by Dashlane and/or their versions
- The "limited access" feature for the shared credentials can be circumvented (https://support.dashlane.com/hc/en-us/articles/202870872-Can-other-people-see-the-password-I-shared-with-them- __)
- Bugs that involve physical attacks or social engineering against Dashlane offices or employees, spamming, malware distribution, or denial of service attacks.
- The referral program allows to obtain 6 month free membership (cumulative until 2 years) for each invite (on purpose)
- Attacks on desktop apps that require prior control of the host system (keylogger, memory dumping).
- For subdomain takeovers related issues, please check your claim before reporting to avoid false positives.
- SPF/DMARC remarks
- Any reports that cover issues that are not in the scope of this program will be closed as N/A
- Dead Linkedin links in our Team page (https://www.dashlane.com/team __), we do our best to keep it up to date and we don't think that H1 researchers squatting team profile is a useful for anyone.
- Expired certificates
If you discover an out-of-scope bug in Dashlane while looking for security
issues, you can report it to us by emailing our support team at
Thank you for helping keep Dashlane safe!