Responsible Disclosure Program
At Docfield.com, we are committed to ensuring the security and privacy of our users. Have you discovered a security flaw in Docfield? Please notify us before informing the outside world, so that we can first take action. Doing so is called ‘responsible disclosure’.
Program Scope
This program covers vulnerabilities in the following Docfield.com assets:
- Web Application: All functionality accessible via authenticated and unauthenticated user accounts
- APIs: Publicly accessible APIs associated with Docfield.com
- Subdomains: *.docfield.com (e.g., app.docfield.com, api.docfield.com)
Out of Scope
- Third-party services or applications not directly controlled by Docfield.com
- Social engineering, phishing, or physical attacks
- Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks
- Issues without clear security impact (e.g., clickjacking on static pages, missing headers without exploitability)
- Self-XSS or vulnerabilities requiring unlikely user interaction
- Rate-limiting or brute-force issues without exploitable impact
- Content spoofing or text injection without significant security impact
- Docfield website and marketing forms
Responsible Disclosure Guidelines
- Report vulnerabilities promptly via email to security@docfield.com with a clear description, steps to reproduce, video recording of the vulnerabilities, and potential impact.
- Do not publicly disclose vulnerabilities until we have resolved them and granted permission.
- Limit exploitation to the minimum required to demonstrate the issue (e.g., no data modification, deletion, or exfiltration).
- Avoid accessing or modifying user data without explicit permission.
- If you inadvertently access personal data, do not store, transmit, or disclose it. Immediately include this information in your report so that we can take appropriate action.
- Allow us reasonable time (typically 90 days) to resolve issues before expecting public disclosure.
What to expect
- When you report the security flaw, check that you comply with the conditions described above. If you do so, Docfield will not attach any legal consequences to your notification.
- Docfield treats the notifications it receives confidentially. It will not share your personal details with third parties without your permission unless required to do so by law or a court order.
- Docfield can, if you wish, mention your name as the one who discovered the security flaw.
- Docfield will send you an acknowledgement of receipt within one working day.
- Docfield will respond to your notification within three working days. Its response will contain an assessment of your notification and the date on which it expects to remedy the flaw.
- Docfield will keep you – as the one who discovered the flaw – informed of the progress made in remedying it.
- Docfield will remedy the flaw as soon as possible, certainly no later than 60 days after receiving the notification. Docfield will work with you to determine whether and, if so, how the flaw reported is to be made public. It will not be made public until after it has been remedied.
- This program is a responsible disclosure program only. No financial rewards, bounties, or other compensation are offered for submitted vulnerability reports.
Submission Process
- Email security@docfield.com with the following details:
- Vulnerability description
- Steps to reproduce (including tools, payloads, or screenshots if applicable)
- Affected asset (e.g., URL, API endpoint)
- Potential impact
- Your contact information (name, email, optional public handle for recognition)
- Your personal data provided in the submission will be processed in accordance with our Privacy Policy and will only be used for the responsible disclosure and communicating with you about your submission.
- We will acknowledge receipt within 72 hours and provide updates on our assessment.
- Once validated and resolved, we can discuss recognition preferences.
Safe Harbor
We will not pursue legal action against researchers who:
- Follow this program’s guidelines
- Act in good faith to identify vulnerabilities
- Do not harm our users, systems, or data
Malicious activity (e.g., data theft, unauthorized access beyond proof-of-concept) will be addressed legally.
Recognition
With your consent, we will:
- List your name or handle on our Hall of Fame
- Acknowledge your contribution in release notes or blog posts (if applicable)
Program Updates
We may update this program at any time. Changes will be posted on this page, and ongoing submissions will be subject to the latest terms.
Contact
For questions or submissions, email security@docfield.com. Thank you for helping keep Docfield.com secure!
![Made in Europe](data:image/svg+xml,%3Csvg%20xmlns="http://www.w3.org/2000/svg"%20viewBox="0%200%20160%2056"%20width="160"%20height="56"%3E%3Crect%20width="160"%20height="56"%20rx="8"%20fill="%23003399"/%3E%3Cg%20fill="%23FFCC00"%20transform="translate(32,28)"%3E%3Cg%20transform="rotate(0)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(30)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(60)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(90)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(120)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(150)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(180)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(210)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(240)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(270)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(300)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3Cg%20transform="rotate(330)%20translate(0,-13)"%3E%3Cpolygon%20points="0,-3.4%200.8,-1%203.2,-1%201.3,0.4%202,2.7%200,1.4%20-2,2.7%20-1.3,0.4%20-3.2,-1%20-0.8,-1"/%3E%3C/g%3E%3C/g%3E%3Cline%20x1="58"%20y1="10"%20x2="58"%20y2="46"%20stroke="%23FFFFFF"%20stroke-opacity="0.3"%20stroke-width="1"/%3E%3Ctext%20x="110"%20y="23"%20font-family="Arial,sans-serif"%20font-size="11"%20fill="%23FFFFFF"%20text-anchor="middle"%20letter-spacing="1.5"%3EMADE%20IN%3C/text%3E%3Ctext%20x="110"%20y="40"%20font-family="Arial,sans-serif"%20font-size="16"%20font-weight="700"%20fill="%23FFCC00"%20text-anchor="middle"%20letter-spacing="2"%3EEUROPE%3C/text%3E%3C/svg%3E)