Vulnerability Disclosure Policy

Updated: January 20th, 2025

DataTrails Vulnerability Disclosure Program

DataTrails is dedicated to collaborating with the global research community to improve the security of our platform. DataTrails recognises the significant time and effort that ethical security researchers invest into helping advance the security of our platform. We are committed to diligently validating security vulnerability reports that we receive and prioritising the investigation and resolution of vulnerabilities.

Purpose

The purpose of this program is to provide a transparent and easy way for security researchers to collaborate with DataTrails. This program establishes the policies and guidelines for security researchers to conduct ethical research and report security vulnerabilities for DataTrails’ platform.

Guidelines

We kindly request all security researchers to not perform any of the following actions:

Force the DataTrails platform to be unavailable or modify data that is not associated with your DataTrails user accounts.

Infringe on the privacy of DataTrails users, directors, employees and contractors. Avoid accessing data belonging to DataTrails user accounts you do not control.

Share sensitive or Personally Identifiable Information (PII) data retrieved from the DataTrails platform to any third party. This includes exposing such information as a result of irresponsible handling.

Access excessive data beyond what is required to evidence the impact of a vulnerability or develop a benign Proof of Exploitation.

Reporting Instructions

All vulnerability reports should be submitted using the Responsible Disclosure Form (`https://www.datatrails.ai/responsible-disclosure-form`), or by emailing security@datatrails.ai.
Once you have submitted the report, we will respond to it within ten (10) working days, and aim to validate your report within fifteen (15) working days.
Do not share the vulnerability information with other parties without DataTrails’ explicit consent.
Do not submit complaints or questions about the platform through this program, these will not be responded to. Please contact the DataTrails support team at support@datatrails.ai for these queries instead.
Reports detailing a vulnerability identified from automated scanning tools, such as Nessus, will be accepted but not eligible for a bounty.

Scope

In-scope domains

Vulnerabilities must fall within the `https://app.datatrails.ai` domain, ie the application platform.

DataTrails only considers vulnerabilities to be in-scope if they adhere to the following requirements:

Must be original, previously unreported, and not already discovered by internal procedures.
Must impact DataTrails or its users when exploited. Vulnerabilities which carry a theoretical impact will not be considered valid.
Must not rely on the assumption of social engineering or gaining physical access to a device in order to demonstrate a vulnerability.

Out-of-scope domains

The DataTrails website `https://datatrails.ai` and `https://www.datatrails.ai` is excluded from scope.

Out of Scope Vulnerabilities

The security vulnerabilities listed below are considered out of scope and, as such, should not be reported:

Username enumeration.
Traditional Denial-of-Service (DoS) vulnerabilities. Examples include sending a large volume of requests to the platform’s hosting servers.
Non-exploitable vulnerabilities which present a low risk. Examples include missing security headers or TLS configuration weaknesses, unless their absence leads to a demonstratable security vulnerability.
Session management or session fixation vulnerabilities.
Message injection attacks on dialogs except where the message can cause demonstrable harm in its own right.

Bug Bounty

DataTrails offers a paid bug bounty programme, the renumeration of which is aligned with industry averages from HackerOne’s annual reports. Our renumeration bands are reviewed on an annual basis.

DataTrails will validate reports in alignment with the following structure, and, at our own discretion, assess severity and award a bounty. Bounties will only be paid for vulnerabilities identified and reported in alignment with the rulings of this program. Submitting a report does not qualify the reporter for any bounty payment.

DataTrails commits to processing vulnerability reports in a timely fashion, with triage as soon as possible, then response and validation within the following time frames:

CRITICAL: 2 business days
HIGH: 5 business days
MEDIUM: 10 business days
LOW: 15 business days

A discretionary additional $50 USD bonus may be awarded if assistance is provided to help retest a vulnerability that DataTrails has implemented a remediation for.

Hall of Fame

Our Hall of Fame is under construction while we gain permission from researchers to list them here.

Legal

DataTrails provides safe harbour to all researchers

DataTrails views all security research activities that are performed in alignment with our Vulnerability Disclosure Program (VDP) to be authorised and legal.
DataTrails will inform any third party who takes legal action against a security researcher to withdraw such allegations and to confirm that the researcher’s actions were approved. This is predicated by the researcher having complied with the Guidelines and Scope defined in the VDP.
DataTrails will not seek prosecution of any security researcher who reports a security vulnerability as part of this VDP where the researcher has acted in good faith and in accordance with this VDP.

This program is designed in line with common vulnerability disclosure good practice and does not give you permission to act in any manner that is inconsistent with the law. This includes causing DataTrails to be in breach of any of its legal obligations, including but not limited to:

The Computer Misuse Act (1990)
The General Data Protection Regulation (GDPR) 2016/679
The Data Protection Act (2018)