Skip to main content
Join Now
For Talent

Responsible Disclosure Policy

Introduction

At Day One, we take the security of our systems seriously. We value the contributions of security researchers and the broader security community in helping us maintain a safe and secure environment for our users. This Responsible Disclosure Policy outlines how to report potential vulnerabilities and what you can expect from us in return.
 

Scope

This policy applies to:
  • All public-facing systems owned, operated, or controlled by [Your Organization Name].
  • Web applications, APIs, mobile apps, and infrastructure components.
Out of scope:
  • Social engineering (e.g., phishing, vishing)
  • Physical security
  • Denial of Service (DoS) attacks
  • Automated vulnerability scanners

Reporting a Vulnerability

If you believe you’ve discovered a security vulnerability, please submit your report to:
Please include:
  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code

Our Commitment

When you report a vulnerability in good faith, we commit to:
  • Acknowledging receipt of your report within 3 business days
  • Providing an estimated timeline for resolution
  • Keeping you informed of progress
  • Crediting you publicly (with your permission)

Safe Harbour

We will not take legal action against you if:
  • You act in good faith to report the vulnerability
  • You avoid privacy violations, data destruction, or service disruption
  • You do not exploit the vulnerability beyond what is necessary to demonstrate it

Recognition

We may offer public recognition or rewards for valid reports, depending on the severity and impact. Participation in our [bug bounty program] is subject to its own terms and conditions.
 

Policy Review and Maintenance

This policy is reviewed and updated regularly to ensure its relevance and effectiveness. The review process involves assessing the policy's alignment with current security threats, regulatory requirements, and industry best practices. Feedback from stakeholders is considered during the review process to identify areas for improvement. The updated policy is communicated to all employees and relevant parties to ensure awareness and compliance.
 

Waivers

Waivers from certain policy provisions may be sought following the DayOne Waiver Process.
 

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties. 
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.