Scope (in‑scope targets)

• Dreambase web app and APIs: dreambase.ai and subdomains

• Slack app integration: “Dreambase” Slack app, OAuth flows, webhooks, event handlers

• Workspace, project, chat, and file features (including optional chat‑saving)

• Authentication and authorization flows (session, roles, RLS)

• Supabase database access controls and storage paths

• Vercel‑hosted application endpoints

Out of scope

• Social engineering, physical security, DDoS/stress testing, spam

• Third‑party providers’ platforms themselves (e.g., Vercel, Supabase, Anthropic, OpenAI, Google, Mistral, Meta, FullStory, PostHog, Segment, Google Analytics)

• Non‑security content issues, format/style bugs

Testing rules (authorized methods)

• Only test with accounts you own or have explicit permission to use

• No exfiltration or tampering with data belonging to others

• No service degradation or availability testing (e.g., DDoS)

• Use proof‑of‑concepts that minimize data exposure and impact

• Do not access, modify, or delete data outside your test account

How to report

• Email: support@dreambase.ai (preferred)

• Subject: “Vulnerability Report: [brief title]”

• Include: affected target/endpoint, detailed description, steps to reproduce, impact, suggested severity (CVSS), logs or screenshots, and your contact info

• Encryption: If desired, request our PGP public key via support@dreambase.ai to encrypt your report

Coordinated disclosure & timelines (SLAs)

• Acknowledgment: within 3 business days

• Triage & initial assessment: within 7 business days

• Remediation plan: shared within 14 business days for valid findings

• Fix priority: based on CVSS score and exploitability

• Public disclosure: coordinated with researcher after fix or within a mutually agreed timeline; please do not publish before coordination

Legal safe harbor
If you follow this policy and conduct good‑faith, non‑destructive testing, we will not pursue civil action or refer for criminal investigation. Unauthorized access to others’ data, disruption, or non‑compliant behavior voids safe harbor.

Severity classification (CVSS guidance)

• Critical: auth bypass, RCE, data exfiltration across tenants

• High: privilege escalation, significant injection, broken access controls

• Medium: sensitive info exposure requiring specific conditions

• Low: best‑practice deviations without material risk

Response & remediation

• We validate, prioritize, and track issues to resolution

• We may request additional details or proof‑of‑concepts

• We issue fixes and may apply compensating controls where needed

• We will notify you when remediation is complete and coordinate disclosure

Recognition
We offer non‑monetary recognition for significant contributions (e.g., Hall of Fame listing). No bug bounty is currently offered.

Program coverage

• This policy covers the Dreambase Slack app

• Third‑party services used by Dreambase are out‑of‑scope, but findings impacting our integration with them are in‑scope

Privacy & data handling

• Reports may include limited diagnostic data; we store them securely

• Researcher‑provided data used for validation is retained only as long as necessary to remediate, then deleted or anonymized

• Backups may retain minimal metadata up to 90 days per our Privacy Policy

Contact for security issues

• Primary: support@dreambase.ai

• Emergency/abuse: same address, include “URGENT” in subject