Security Disclosure Policy

Last Updated: June 2026

1. In Scope

  • dupedb.net and any subdomain (*.dupedb.net)
  • The DupeDB API at /api/*
  • The DupeDB Discord bot, where the issue is in our code
  • Authentication, authorization, session, and CSRF flows
  • Stored or reflected XSS, SQL injection, SSRF, file upload abuse, IDOR, privilege escalation
  • Information disclosure of non-public user data (IP hashes excluded — those are intentionally one-way)

2. Out of Scope

Reports about the following will be closed without action:

  • DoS via brute-force traffic, flooding, or resource exhaustion (test in your own environment)
  • Social engineering of staff, moderators, or users
  • Physical attacks on infrastructure
  • Issues in third-party services (Discord, Cloudflare, GitHub, YouTube) — report to the vendor
  • Issues in third-party Discord servers, even if linked from the Communities page
  • Findings requiring an already-compromised account or device
  • Automated-scanner output without a working PoC (e.g., generic header heuristics, "TLS 1.0 supported" on a host that doesn't accept TLS 1.0)
  • Issues depending on outdated browsers or unsupported configurations
  • Self-XSS requiring the victim to paste attacker-supplied JavaScript into their own console

3. How to Report

Send reports through either channel — whichever is easier:

  • Discord — open a ticket on our Discord server
  • Emailcontact@dupedb.net

Please don't publicly disclose the issue until we've had a chance to fix it.

Helpful details to include: a clear description and impact, repro steps or PoC, affected URLs/endpoints/components, relevant logs or screenshots, and how you'd like to be credited (or kept anonymous).

4. Safe Harbor

If you act in good faith under this policy, we will treat your research as authorized, work with you to resolve the issue, and credit you publicly (with your consent) once a fix is deployed.

To stay within safe harbor:

  • Only access accounts and data you own or have permission to test
  • Stop immediately if you encounter user data that's not yours, and tell us in the report
  • Do not exfiltrate, modify, or destroy data
  • Do not run sustained high-volume scanners against production
  • Do not publicly disclose before we confirm a fix is deployed (or 90 days pass with no response)

Activity outside this policy that violates the Terms of Service or applicable law is not covered by safe harbor and may be referred to law enforcement.

5. Rewards

No monetary bug bounties. We offer public credit on this page (or in commit messages) with your consent, a contributor role in the DupeDB Discord, and a cookie and a kiss on the cheeks /s.

6. Updates to This Policy

Updated as the project evolves; the Last Updated date reflects the most recent change. The /.well-known/security.txt Expires field is renewed at least annually.

7. Hall of Fame

Thanks to the following users for responsibly disclosing security issues affecting DupeDB. Listed in no order whatsoever.

  • Thome (Discord) — stored XSS in user-content rendering, untrusted external-media loading, and iframe clickjacking. (January – February 2026)
  • Mr.Toilet (Discord) — multiple stored XSS findings in admin and submission input. (January – February 2026)
  • tinywifi (Discord) — file upload content-type validation bypass. (May 2026)