Bug Bounty Program

Dashverse is on a mission to re-invent how stories are created and consumed using generative AI. Our products — including Dashtoon, DashReels, and Shortfree — span comics, manga, manhwa, and short-form video, and we are committed to building a safe platform for our creators and audience.

We welcome security researchers to submit vulnerabilities in an ethical and responsible manner. Reports can be sent to [email protected].

• By participating in the Dashverse bug bounty program, you agree to provide reports with sufficient detail and reproducible steps.
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service.
• Dashverse employees are not permitted to participate in this bug bounty program.
• In case of any privacy violations, destruction of data, interruption or degradation of data, or any breach of the terms and conditions of this bug bounty program, Dashverse reserves its right to take appropriate action and/or report to regulatory authorities.
• No person or entity which has any form of pending criminal case shall be eligible to participate in the program.
• Dashverse shall be entitled to seek necessary information / documents / declarations in this regard before disbursal of bug bounty rewards.
• Dashverse authorizes good-faith security testing solely within the scope of this program and in compliance with these rules. Dashverse will not initiate legal action against participants for activities conducted in accordance with this policy and within the defined scope.
• Participants must immediately cease testing upon accessing personal information, confidential business information, or third-party content not belonging to the participant. Only the minimum information necessary to demonstrate the vulnerability may be collected.
• Participants shall not retain, disclose, transfer, sell, publish, or otherwise process any personal data discovered during testing except to the extent strictly necessary to report the vulnerability to Dashverse.
• Persons convicted of cybercrime, fraud, data theft, unauthorized access offenses, or similar offenses within the preceding five years are not eligible.
• Rewards will not be paid where prohibited by applicable sanctions, export control laws, anti-money laundering laws, or other applicable legal restrictions.
• Participants are solely responsible for all taxes arising from bounty payments. Dashverse may withhold taxes or request tax documentation where required by applicable law.
• Dashverse retains sole discretion regarding eligibility, severity classification, reward amount, duplicate determination, and payment of any bounty.
• By submitting a report, the participant grants Dashverse a perpetual, worldwide, irrevocable, royalty-free right to use, reproduce, modify, and incorporate the report and any related materials for security remediation and internal purposes.

Dashverse will make a best effort to meet the following service level agreements for researchers participating in the program:

We'll do our best to keep you informed about our progress throughout the process.

The current scope of the program covers:

• dashtoon.com
• dashreels.com
• shortfree.com
• frameo.ai
• studio.dashtoon.ai
• Dashtoon Android & iOS application
• DashReels Android & iOS application
• Shortfree Android & iOS application

By default, we categorise reports using the CVSS v3.0 calculator. However, we may increase or decrease the severity assigned by the calculator, as for certain types of vulnerabilities the calculator score does not reflect reality well. We aim to define and pay out bounties within 30 days of verifying the severity of an issue, or once the issue is resolved.

While conducting your security assessment, we request that all researchers append the following header to their requests so we can identify legitimate testing traffic:

X-Dashverse-BugBounty: <your email address>

The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS.
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).
• Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
• Tabnabbing.
• Open redirect — unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction, e.g. installing a malicious app onto a user's device.

• DDoS attacks of any kind.
• Gaining access to user accounts and modifying the information is strictly prohibited. You should always use your own user accounts across Dashverse properties to showcase or find the vulnerability. Refrain from testing on any user account which doesn't belong to you.
• Don't dump any information of users or sellers using a vulnerability that has been discovered.

Participation in the Dashverse Bug Bounty Program is limited to individuals who are at least eighteen (18) years of age at the time of submission of a vulnerability report. Persons under the age of eighteen (18) are not permitted to participate in the Program, submit vulnerability reports, or receive bounty payments.

By submitting a vulnerability report, each participant represents and warrants that they are at least eighteen (18) years old, have the legal capacity to enter into and be bound by these Program Terms, and are eligible to participate in the Program under applicable laws and regulations.

As a condition to receiving any bounty payment, Dashverse shall require the participant to provide reasonable proof of age, identity, tax status, payment details, or other documentation necessary to verify eligibility and comply with applicable legal, tax, accounting, anti-money laundering, sanctions, regulatory, or payment processing requirements. Such documentation may include government-issued identification documents, IRS Forms W-9, W-8BEN, W-8BEN-E, or equivalent forms and certifications required under applicable law.

Participants shall provide any requested documentation within the timeframe specified by Dashverse and shall ensure that all information provided is accurate, complete, and current.

Dashverse reserves the right, in its sole discretion, to withhold, delay, deny, cancel, recover, or refuse any bounty payment if: (a) the participant fails to provide requested documentation; (b) Dashverse is unable to verify the participant's age, identity, tax status, or eligibility; (c) the participant provides false, misleading, incomplete, or fraudulent information; (d) the participant violates these Program Terms; or (e) Dashverse determines that making the payment would violate applicable law, sanctions regulations, tax requirements, anti-money laundering requirements, or the policies of its payment providers.

Participants are solely responsible for any taxes, duties, levies, reporting obligations, or similar governmental charges arising from bounty payments received under the Program. Dashverse may withhold taxes or other amounts from bounty payments where required by applicable law.

Any determination by Dashverse regarding participant eligibility, age verification, identity verification, tax documentation, bounty qualification, reward amount, or payment eligibility shall be final and binding.

We don't allow public disclosures. Please obtain written permission from our team before any disclosure. Public disclosures are at Dashverse's sole discretion.

Have suggestions about this policy? Send us a note at [email protected] with the subject "Suggestion on bug bounty program". Suggestions on the reward amounts will be ignored. Anything else is gladly welcomed.