Responsible Disclosure Policy

We value the security community and appreciate your efforts to help us keep our products and users safe. If you’ve discovered a potential vulnerability in one of our systems, we want to hear from you. This Responsible Disclosure Policy describes the terms and conditions of your participation as a researcher reporting vulnerabilities to Doppel Inc.

Scope

We welcome reports that identify genuine security vulnerabilities affecting our products, services, and infrastructure—as long as they pertain to systems we own and operate.

In-Scope Vulnerability Categories

Authentication issues (login bypass, broken session management, missing rate limits)
Authorization flaws (privilege escalation, IDOR)
Injection vulnerabilities (SQLi, command injection, SSTI)
Cross-Site Scripting (XSS) (stored, reflected, DOM-based with real impact)
Cross-Site Request Forgery (CSRF) (on state-changing actions)
Sensitive data exposure (credentials or PII via APIs or logs, hardcoded secrets)
Security misconfigurations (exposed admin interfaces, insecure defaults — if owned by us)
Server-side request forgery (SSRF) (especially if internal access is possible)
Broken cryptography (use of weak algorithms)
Business logic issues (abuse, fraud, or unintended behavior)
Misconfigured APIs (lack of auth, excessive data exposure)
Subdomain takeover (only if it affects domains we own and manage directly)

Out of Scope

To protect our systems and reduce unnecessary noise, the following are out of scope:

Third-party platforms or services not owned by us (Auth0, Salesforce)
Marketing or static sites (blog or docs) that don’t possess or process sensitive data
Staging/dev/internal environments unless explicitly included
Corporate email systems or employee phishing/social engineering
DoS/DDoS, spam, brute force attacks, or resource exhaustion
Automated scanning or fuzzing without prior permission
Clickjacking on non-sensitive pages
Open ports, version banners, or other informational-only issues
Vulnerable libraries without demonstrated exploitability
Self-XSS or bugs requiring victim cooperation
Physical security testing (data center access or device tampering)

Issues falling into these categories are not eligible for acknowledgment or recognition unless they demonstrate clear security impact.

Rules of Engagement

We ask that researchers:

Only test systems explicitly listed as in-scope
Use their own test/demo accounts (no targeting real users)
Avoid data exfiltration or modifying/deleting data
Avoid causing service disruption
Never perform social engineering or phishing
Do not use automated scanners or brute-force tools
Refrain from public disclosure without written permission, as detailed herein
Do not attempt lateral movement or internal network pivoting
Report findings promptly and responsibly

If you’re unsure whether something is in scope, please contact us at [email protected] before proceeding.

How to Report

Please send vulnerability reports to [email protected] and include the following:

Summary of the vulnerability
Steps to reproduce (screenshots or video welcome)
Proof of concept (PoC) or test payloads
Affected systems, URLs, endpoints, or parameters
Assessment of potential impact
Tools, browser, or device used in testing
Date/time of discovery
Your contact info (so we can follow up if needed)
Suggested mitigation (optional but appreciated)
Any related references or CVEs

Public Disclosure

You must not publicly disclose vulnerabilities without our written permission.

We are open to coordinated disclosure after a fix is implemented. You may request permission to publish your findings after remediation. Premature or unauthorized disclosure may disqualify you from recognition or reward.

Doppel reserves the right to immediately remove you from this disclosure program if you violate any of these terms and conditions as determined by Doppel.

Our Response

We'll acknowledge receipt of your submission within 2 business days
We'll provide a status update or initial analysis within 2 weeks
If we determine the issue is valid and high/critical in impact, we will notify you once it has been remediated

Safe Harbor

We are committed to working with researchers acting in good faith with the intention of responsibly reporting their findings to Doppel. If you comply with this policy:

Your testing will be considered authorized and exempt from our Terms and Conditions which prohibit, among other things, deciphering, decompiling, disassembling, or reverse engineering any of the software comprising or in any way making up a part of our website.
Your actions when operating as a researcher in adherence to this policy will be considered “authorized” conduct under the Computer Fraud and Abuse Act, the Digital Millenium Copyright Act (17 U.S.C. §1201), and other applicable computer use laws such as Cal. Penal Code 502(c).
If legal action is initiated by a third party in response to your research activities in accordance with this policy, we will make it clear that your testing was authorized under this policy.

If you have any doubt about whether your testing is permitted, please reach out before proceeding.

You must comply with all applicable laws (including directives, regulations, and ordinances), including those of the country or region in which you reside or in or which you use our software or access our website.

Rewards and Recognition

This is a non-paid disclosure program. However, we may offer discretionary thank-you rewards for submissions that demonstrate high or critical impact to the security of our systems or users. Such rewards are granted solely at our exclusive discretion. To be eligible for a reward you must have complied with this policy.

Factors considered in offering thank-you rewards include:

Severity and exploitability
Business impact
Report clarity and completeness
Whether the issue was already known

Reward decisions are entirely at our discretion and not guaranteed. If a monetary award is made you are responsible for the payment of all applicable taxes. Any rewards not accepted within one year, or waived, shall become ineligible for issuance. Valid submissions may also be eligible for public recognition (a Hall of Fame), with your permission.

Rewards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.

Scope

We welcome reports that identify genuine security vulnerabilities affecting our products, services, and infrastructure—as long as they pertain to systems we own and operate.

In-Scope Vulnerability Categories

Authentication issues (login bypass, broken session management, missing rate limits)
Authorization flaws (privilege escalation, IDOR)
Injection vulnerabilities (SQLi, command injection, SSTI)
Cross-Site Scripting (XSS) (stored, reflected, DOM-based with real impact)
Cross-Site Request Forgery (CSRF) (on state-changing actions)
Sensitive data exposure (credentials or PII via APIs or logs, hardcoded secrets)
Security misconfigurations (exposed admin interfaces, insecure defaults — if owned by us)
Server-side request forgery (SSRF) (especially if internal access is possible)
Broken cryptography (use of weak algorithms)
Business logic issues (abuse, fraud, or unintended behavior)
Misconfigured APIs (lack of auth, excessive data exposure)
Subdomain takeover (only if it affects domains we own and manage directly)

Out of Scope

To protect our systems and reduce unnecessary noise, the following are out of scope:

Third-party platforms or services not owned by us (Auth0, Salesforce)
Marketing or static sites (blog or docs) that don’t possess or process sensitive data
Staging/dev/internal environments unless explicitly included
Corporate email systems or employee phishing/social engineering
DoS/DDoS, spam, brute force attacks, or resource exhaustion
Automated scanning or fuzzing without prior permission
Clickjacking on non-sensitive pages
Open ports, version banners, or other informational-only issues
Vulnerable libraries without demonstrated exploitability
Self-XSS or bugs requiring victim cooperation
Physical security testing (data center access or device tampering)

Issues falling into these categories are not eligible for acknowledgment or recognition unless they demonstrate clear security impact.

Rules of Engagement

We ask that researchers:

Only test systems explicitly listed as in-scope
Use their own test/demo accounts (no targeting real users)
Avoid data exfiltration or modifying/deleting data
Avoid causing service disruption
Never perform social engineering or phishing
Do not use automated scanners or brute-force tools
Refrain from public disclosure without written permission, as detailed herein
Do not attempt lateral movement or internal network pivoting
Report findings promptly and responsibly

If you’re unsure whether something is in scope, please contact us at [email protected] before proceeding.

How to Report

Please send vulnerability reports to [email protected] and include the following:

Summary of the vulnerability
Steps to reproduce (screenshots or video welcome)
Proof of concept (PoC) or test payloads
Affected systems, URLs, endpoints, or parameters
Assessment of potential impact
Tools, browser, or device used in testing
Date/time of discovery
Your contact info (so we can follow up if needed)
Suggested mitigation (optional but appreciated)
Any related references or CVEs

Public Disclosure

You must not publicly disclose vulnerabilities without our written permission.

Doppel reserves the right to immediately remove you from this disclosure program if you violate any of these terms and conditions as determined by Doppel.

Our Response

We'll acknowledge receipt of your submission within 2 business days
We'll provide a status update or initial analysis within 2 weeks
If we determine the issue is valid and high/critical in impact, we will notify you once it has been remediated

Safe Harbor

We are committed to working with researchers acting in good faith with the intention of responsibly reporting their findings to Doppel. If you comply with this policy:

Your testing will be considered authorized and exempt from our Terms and Conditions which prohibit, among other things, deciphering, decompiling, disassembling, or reverse engineering any of the software comprising or in any way making up a part of our website.
Your actions when operating as a researcher in adherence to this policy will be considered “authorized” conduct under the Computer Fraud and Abuse Act, the Digital Millenium Copyright Act (17 U.S.C. §1201), and other applicable computer use laws such as Cal. Penal Code 502(c).
If legal action is initiated by a third party in response to your research activities in accordance with this policy, we will make it clear that your testing was authorized under this policy.

If you have any doubt about whether your testing is permitted, please reach out before proceeding.

Rewards and Recognition

Factors considered in offering thank-you rewards include:

Severity and exploitability
Business impact
Report clarity and completeness
Whether the issue was already known

Responsible Disclosure Policy

Scope

In-Scope Vulnerability Categories

Out of Scope

Rules of Engagement

How to Report

Public Disclosure

Our Response

Safe Harbor

Rewards and Recognition

Learn how Doppel can protect your business

Responsible Disclosure Policy

Scope

In-Scope Vulnerability Categories

Out of Scope

Rules of Engagement

How to Report

Public Disclosure

Our Response

Safe Harbor

Rewards and Recognition

Learn how Doppel can protect your business