Security & Responsible Disclosure
Last updated 9 June 2026
We take the security of DeanOS and our users' data seriously. If you believe you have found a
security vulnerability in our service, we want to hear from you, and we will work with you to
understand and resolve it quickly.
How to report
Email security@getdeanos.com with a clear,
reproducible report. Please include:
- the affected URL, endpoint, or feature;
- step-by-step reproduction instructions;
- the date/time of your testing and the test account you used;
- the impact you believe the issue has;
- any relevant HTTP requests/responses — with secrets, cookies, and tokens removed;
- screenshots or a short video if they help.
Our commitment to you (safe harbor)
If you make a good-faith effort to comply with this policy during your research, we will consider
your testing to be authorized, we will work with you to understand and resolve the issue promptly,
and we will not pursue or support legal action against you in connection with your report. If a
third party brings legal action against you for activity that complied with this policy, we will
make our authorization known.
Scope
This policy covers:
- getdeanos.com and its subdomains;
- ceo.deanos.app (the application).
Third-party services we integrate with (for example payment, email, analytics, and AI providers)
are out of scope — please report issues in those products to their own vendors.
Testing rules — what is allowed
- Testing only against accounts you own or have explicit permission to use.
- Stopping as soon as you confirm a vulnerability exists, and reporting it.
- Keeping the details confidential until we have had a reasonable time to remediate.
What is not authorized
To protect our users, the following are not permitted and are not covered by safe harbor:
- accessing, modifying, retaining, or disclosing other users' data;
- denial-of-service, load, or stress testing;
- large-volume automated scanning that degrades the service;
- credential brute-forcing, password spraying, or phishing/social engineering of our staff or users;
- physical attacks, or attempts to establish persistence on our systems;
- destructive testing, or testing that intentionally degrades, deletes, or corrupts data;
- publicly disclosing an issue before we have resolved it and agreed on timing.
What to expect
- We aim to acknowledge your report within 3 business days.
- We will give you an honest assessment of severity and an expected timeline to fix.
- We will let you know when the issue is resolved, and we are happy to credit you if you wish.
Rewards
DeanOS does not currently operate a paid bug-bounty program, and submitting a report does not
create an expectation of payment unless agreed in writing in advance. We do genuinely value and
review every legitimate security report, and we are glad to publicly acknowledge researchers who
help us improve.
Contact
Security reports: security@getdeanos.com.
Machine-readable contact details: /.well-known/security.txt.