Responsible Disclosure Policy

We take the security of DanceApp.net and its users seriously. We welcome security researchers who help us keep our platform safe.

Scope

The following assets are in scope:

  • danceapp.net and all subdomains
  • The DanceApp API (/api/*)

Rules

  • Do not access, modify, or delete data belonging to other users.
  • Do not perform denial-of-service attacks.
  • Do not use automated scanners that generate excessive traffic.
  • Do not publicly disclose vulnerabilities before we have confirmed and resolved them.
  • Act in good faith and avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data.

How to Report

Send your findings to [email protected]. Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any supporting material (screenshots, proof-of-concept code, HTTP requests)

What to Expect

  • We will acknowledge your report within 3 business days.
  • We will work with you to understand and validate the issue.
  • We aim to resolve confirmed vulnerabilities as quickly as possible.
  • We will not take legal action against researchers who follow this policy.

Recognition

Researchers who responsibly disclose valid security issues will be credited on our Security Hall of Fame, unless they prefer to remain anonymous.

Out of Scope

  • Social engineering (phishing, vishing, etc.)
  • Physical security
  • Issues in third-party services or libraries (unless exploitable via DanceApp)
  • Clickjacking on pages with no sensitive actions
  • Missing security headers that do not lead to a direct vulnerability
  • Self-XSS
  • Rate limiting or brute force issues on non-authentication endpoints