Responsible Disclosure

Reporting a vulnerability

If you believe you have discovered a security vulnerability in doconvoy, we ask that you disclose it to us responsibly before making it public.

Send your report to: security@doconvoy.com

What to include

• — A description of the vulnerability and its potential impact
• — Steps to reproduce the issue
• — Any proof-of-concept code or screenshots (if applicable)
• — Your contact information for follow-up

Our commitments

• — We will acknowledge your report within 2 business days
• — We will keep you informed of our progress toward a fix
• — We will not take legal action against researchers who disclose responsibly
• — We will credit researchers who wish to be credited, upon request

Scope

Reports are welcome for vulnerabilities in the doconvoy web application (app.doconvoy.com), the marketing website (doconvoy.com), and our core encryption implementation.

Out of scope: social engineering attacks, physical attacks, denial-of-service attacks, and vulnerabilities in third-party services we depend on.

Coordinated disclosure

We ask that you give us a reasonable timeframe (typically 90 days) to investigate and remediate confirmed vulnerabilities before public disclosure. We're committed to working with you to resolve issues promptly.