DINO AI HUB
Legal · 15

Security Disclosure & Vulnerability Reporting

LAST UPDATED · MAY 5, 2026

Dino RD&C LLC (“Dino RD&C”) welcomes responsible disclosure of security vulnerabilities affecting our products, services, and infrastructure. This Policy explains how to report a vulnerability, what we will do with the report, and the boundaries of safe-harbor research.

01

How to report

Send your report to [email protected] with the subject line:

Security Vulnerability Report

Include, where possible:

  • a clear description of the vulnerability;
  • the affected product, service, URL, or asset;
  • steps to reproduce, including any proof-of-concept payload;
  • the impact you believe the vulnerability could have;
  • your name (or pseudonym) and how you would like to be credited if a fix is published.

If your report contains sensitive material, request our PGP key in your initial email and we will provide it.

02

What we commit to

When you submit a report in good faith and within the scope of this Policy, we commit to:

  • acknowledge receipt within three (3) business days;
  • provide an initial triage and severity assessment within ten (10) business days;
  • keep you reasonably informed of progress;
  • coordinate any public disclosure with you;
  • credit you in the release notes of the fix unless you ask not to be credited;
  • not pursue or support legal action against you for good-faith research that complies with this Policy.

We do not currently operate a paid bug bounty. We do recognize meaningful contributions in our release notes and may offer Dino RD&C-branded recognition (the specifics are at our discretion). If we adopt a paid bug bounty in the future, we will publish the program rules.

03

Scope

In scope:

  • dinoaihost.com and its public subdomains;
  • the public Cloudflare Worker endpoints that Dino RD&C operates (notably the Meta webhook relay);
  • BOS software running on a Dino appliance for which you have explicit authorization to test;
  • the agent orchestration system, meta-agent factory, and skill content shipped with BOS for which you have explicit authorization to test.

Out of scope:

  • vulnerabilities in third-party services (Stripe, Twilio, Meta, Google, Cloudflare, Apple, Mosyle, Bright Data, LinkedIn, X, cloud LLM providers) — please report those directly to the relevant provider;
  • volumetric denial-of-service attacks;
  • social engineering of Dino RD&C personnel, customers, or end-users;
  • physical attacks against Dino RD&C facilities or hardware;
  • spam, content-injection scanning, or generic crawling;
  • any testing of Customer appliances without that Customer’s explicit, documented authorization;
  • vulnerabilities that require root or physical access to a Customer-owned Appliance the researcher has been authorized to physically access.
04

Safe-harbor for good-faith research

If your research:

  • stays within scope above;
  • avoids privacy violations, destruction of data, and interruption or degradation of service;
  • limits testing to accounts and assets you own or have explicit authorization to test;
  • discloses promptly to Dino RD&C and gives us a reasonable time to remediate before public disclosure;

then Dino RD&C will not initiate, support, or pursue legal action against you for that research. This safe-harbor is provided to the extent Dino RD&C has authority to provide it. We cannot waive third-party rights or applicable law.

05

Disclosure timeline

Our default coordinated-disclosure window is ninety (90) days from triage. We may request an extension for vulnerabilities that require coordinated upstream fixes (for example, vulnerabilities involving Apple, Cloudflare, or third-party LLM providers). If we cannot fix in 90 days and an extension is not warranted, we will tell you and you may publish.

06

What you should not do

While testing in scope, please do not:

  • access, modify, exfiltrate, or destroy data that does not belong to you;
  • pivot from one in-scope asset to an out-of-scope asset;
  • run automated scanners that generate excessive traffic;
  • publish the vulnerability before the coordinated-disclosure window elapses;
  • demand payment in exchange for not disclosing.

The last item, especially, is not security research. We treat extortion attempts as criminal matters.

07

Customer responsibilities

If you are a Customer and a security incident affects your Appliance:

  • Contact Dino RD&C immediately at [email protected] with the subject line “Customer Security Incident.”
  • Do not modify the Appliance state in ways that destroy forensic evidence (logs, files, memory).
  • Coordinate with Dino RD&C for incident response, where authorized.

Dino RD&C’s breach-notification obligations are set out in the DPA.

08

PGP key

Available on request. Email [email protected] with the subject “Request PGP Key.”

09

Contact

Dino RD&C LLC

5830 E 2nd St

Casper, WY 82601, USA

[email protected]

QUESTIONS · [email protected]