Bug Bounty Program

Dashverse is on a mission to re-invent how stories are created and consumed using generative AI. Our products — including Dashtoon, DashReels, and Shortfree — span comics, manga, manhwa, and short-form video, and we are committed to building a safe platform for our creators and audience.

We welcome security researchers to submit vulnerabilities in an ethical and responsible manner. Reports can be sent to [email protected].

• By participating in the Dashverse bug bounty program, you agree to provide reports with sufficient detail and reproducible steps.
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service.
• Dashverse employees are not permitted to participate in this bug bounty program.
• In case of any privacy violations, destruction of data, interruption or degradation of data, or any breach of the terms and conditions of this bug bounty program, Dashverse reserves its right to take appropriate action and/or report to regulatory authorities.
• No person or entity which has any form of pending criminal case shall be eligible to participate in the program.
• Dashverse shall be entitled to seek necessary information / documents / declarations in this regard before disbursal of bug bounty rewards.

Dashverse will make a best effort to meet the following service level agreements for researchers participating in the program:

We'll do our best to keep you informed about our progress throughout the process.

The current scope of the program covers:

• dashtoon.com
• dashreels.com
• shortfree.com
• frameo.ai
• studio.dashtoon.ai
• Dashtoon Android & iOS application
• DashReels Android & iOS application
• Shortfree Android & iOS application

By default, we categorise reports using the CVSS v3.0 calculator. However, we may increase or decrease the severity assigned by the calculator, as for certain types of vulnerabilities the calculator score does not reflect reality well. We aim to define and pay out bounties within 30 days of verifying the severity of an issue, or once the issue is resolved.

While conducting your security assessment, we request that all researchers append the following header to their requests so we can identify legitimate testing traffic:

X-Dashverse-BugBounty: <your email address>

The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS.
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).
• Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
• Tabnabbing.
• Open redirect — unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction, e.g. installing a malicious app onto a user's device.

• DDoS attacks of any kind.
• Gaining access to user accounts and modifying the information is strictly prohibited. You should always use your own user accounts across Dashverse properties to showcase or find the vulnerability. Refrain from testing on any user account which doesn't belong to you.
• Don't dump any information of users or sellers using a vulnerability that has been discovered.

We don't allow public disclosures. Please obtain written permission from our team before any disclosure. Public disclosures are at Dashverse's sole discretion.

Have suggestions about this policy? Send us a note at [email protected] with the subject "Suggestion on bug bounty program". Suggestions on the reward amounts will be ignored. Anything else is gladly welcomed.