Security Policy

Last Updated: January 27, 2025

Reporting Security Issues

At DanceGrid, we take security seriously. We appreciate the efforts of security researchers and the broader security community to help keep DanceGrid and our users safe.

If you believe you have discovered a security vulnerability, please report it to us responsibly. We will work with you to understand and resolve the issue quickly.

Security Contact:

security@dancegrid.app

Responsible Disclosure Guidelines

We follow responsible disclosure practices. When reporting a security vulnerability, please:

  • Provide detailed information about the vulnerability, including steps to reproduce it
  • Allow us a reasonable amount of time to address the issue before public disclosure
  • Do not access or modify user data without explicit permission
  • Do not perform any actions that could harm our users or our services
  • Do not violate any laws or breach any agreements in the course of your research
  • Keep the vulnerability details confidential until we have addressed it

In-Scope Vulnerabilities

We are interested in receiving reports about the following types of vulnerabilities:

  • Authentication and authorization flaws
  • SQL injection and other injection vulnerabilities
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Remote code execution (RCE)
  • Insecure direct object references (IDOR)
  • Security misconfigurations
  • Exposure of sensitive data
  • Privilege escalation vulnerabilities

Out-of-Scope Issues

The following issues are considered out of scope and should not be reported:

  • Social engineering attacks
  • Physical security issues
  • Denial of service (DoS) attacks
  • Spam or content issues
  • Issues requiring physical access to a user's device
  • Missing security headers without a demonstrated security impact
  • Self-XSS (cross-site scripting that requires user interaction)
  • Clickjacking on pages without sensitive actions
  • Issues in third-party services or dependencies (please report to the vendor)
  • Vulnerabilities in outdated browsers or plugins

Response Timeline

We are committed to addressing security issues promptly:

  • Initial Response: Within 48 hours of receiving your report
  • Status Update: Within 7 days with an assessment and next steps
  • Resolution: We aim to resolve critical issues within 30 days, depending on complexity
  • Public Disclosure: After the issue is resolved and with your consent

Our Security Practices

DanceGrid implements multiple layers of security to protect our users and their data:

Data Protection

  • Encryption in transit (TLS/SSL)
  • Encrypted data at rest
  • Secure password hashing (bcrypt)
  • Regular security audits

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication support
  • Session management
  • Rate limiting

Infrastructure

  • Security headers (CSP, HSTS, etc.)
  • Regular dependency updates
  • Activity logging and monitoring
  • Backup and recovery procedures

Compliance

  • ISO 27001 aligned practices
  • GDPR compliance
  • Regular security assessments
  • Privacy by design

Acknowledgments

We are grateful to the security researchers and community members who have helped improve DanceGrid's security. This section recognizes individuals who have responsibly disclosed security vulnerabilities.

No security researchers have been acknowledged yet. Be the first by responsibly reporting a security vulnerability!

Note: We respect the privacy of security researchers. If you prefer to remain anonymous, we will honor that request. If you would like to be acknowledged, please let us know when you submit your report.

Legal Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith and follow responsible disclosure practices
  • Do not access or modify data beyond what is necessary to demonstrate the vulnerability
  • Do not violate any laws or breach any agreements
  • Do not cause harm to our users, services, or systems
  • Report vulnerabilities in a timely manner

This safe harbor applies only to security research activities that are conducted in accordance with this policy. Any activities that go beyond the scope of this policy may result in legal action.

Questions?

If you have questions about this security policy or need clarification on any aspect of responsible disclosure, please contact us at security@dancegrid.app.

For general inquiries, please visit our homepage or contact us at info@dancegrid.app.

Privacy PolicyTerms of Servicesecurity.txt