Devdraft
Get the App
DevDraft
Security grid background

Report a Security Vulnerability

At Devdraft, protecting our customers' data is our top priority. We welcome and value contributions from our community to help identify and address security vulnerabilities in our platform.

How to Submit a Report

If you've identified a security issue that falls outside our excluded categories, please email tech@devdraft.ai with the following information:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Information about your testing environment
  • Proof-of-concept code demonstrating the exploit, if available

After we receive your report, our security team will begin their investigation. We'll provide regular updates on our progress and may contact you if we need additional information. We'll notify our customers once the vulnerability has been addressed.

To recognize your contribution, we offer financial compensation for valid vulnerabilities with a CVSS score of 4 or above.

Priority Areas

  • Authentication bypass and privilege escalation
  • Unauthorized access to personally identifiable information (PII)
  • Cross-workspace data access
  • SQL injection and remote code execution

Testing Scope

  • https://console.devdraft.ai
  • https://widget.devdraft.
  • https://www.devdraft.ai
  • Devdraft Mobile application (iOS, Android)
  • Devdraft API: https://docs.devdraft.ai
  • Devdraft Desktop applications (macOS, Windows)

In scope

  • https://devdraft.ai
  • https://client-api.devdraft.ai
  • https://api.devdraft.ai
  • DevDraft Slack, GitHub, and Front apps

Excluded from Scope

  • Any form of automated scanning
  • Social engineering attempts, particularly targeting Devdraft employees
  • Denial of Service (DoS) attacks
  • Physical access attacks
  • Theoretical vulnerabilities without demonstrable exploits
  • Man-in-the-middle attacks
  • Clickjacking without meaningful security impact
  • Administrative users exploiting features to damage their own workspace
  • Bypassing subscription tier limitations to access premium features
  • Security configuration recommendations (HTTP headers, cookie settings, TLS configurations, DNS records including SPF/DKIM/DMARC/MTA-STS, CAA, DNSSEC) may be noted but typically won't qualify for rewards

Guidelines for Responsible Disclosure

  • Conduct testing only on accounts you own or have explicit authorization to test
  • Respect user privacy and avoid data destruction or service disruption
  • If you gain system access, refrain from attempting lateral movement or privilege escalation
  • Keep vulnerabilities confidential until we've had adequate time to implement fixes

Legal Protection

Security research conducted according to these guidelines is considered authorized activity. We will not pursue legal action against you for good-faith research. Should a third party initiate legal proceedings related to your authorized security research, we will publicly confirm that your actions complied with our security policy.