Version 3.0
Effective 01 April 2026
security@dragonfod.com
If you have found a vulnerability in anything we ship — the website, Cipher OS, the Cipher Terminal, or any Dragonfod platform — we want to hear from you. This policy tells you how to report it, what we commit to in return, and what activity we will not authorise.
1. Scope
In scope:
dragonfod.com and all public sub-domains;- Public release builds of Cipher OS (software packages and firmware signed by us);
- The Cipher Terminal (CT-1) hardware, including firmware and bootloader;
- Any public API we operate under a
*.dragonfod.com domain.
Out of scope:
- Classified deployments, customer-operated instances, or any system you do not own or explicitly control;
- Third-party services we use (route those to the third party);
- Physical attacks, social engineering of our staff, denial-of-service testing;
- Theoretical attacks without proof of exploitability.
2. What we ask of you
- Act in good faith. Investigate only what is needed to demonstrate the issue.
- Do not access, modify, or delete data that is not your own. Stop when you have demonstrated the vulnerability.
- Do not run automated scanners against production at high volume without prior agreement.
- Give us a reasonable time to fix the issue before public disclosure — usually 90 days.
- Do not disclose the issue to any third party before we have fixed it, except for the UK National Cyber Security Centre or the US Cybersecurity and Infrastructure Security Agency if the issue is serious.
3. What we commit to you
- We will acknowledge your report within 2 business days.
- We will provide a triage decision within 7 business days.
- We will give you a public credit (unless you prefer anonymity) in the release notes of the fix.
- We will not pursue legal action against any researcher acting in good faith within the terms of this policy. This includes a safe-harbour commitment for activity that would otherwise be a technical breach of the Computer Misuse Act 1990 or the Computer Fraud and Abuse Act.
- For accepted reports that meet our severity criteria, we offer a reward under our bounty programme (see below).
4. How to report
Email security@dragonfod.com. For sensitive reports, please encrypt to our PGP key:
9H4K 2FDE 7A01 88B3 4C9D · E51F 6A27 DD80 3F14 C0E7
Our full PGP public key is published at /.well-known/pgp-key.asc and the security.txt file is at /.well-known/security.txt.
Please include:
- A clear description of the issue and its impact;
- Steps to reproduce, including versions, endpoints, and payloads;
- Any proof-of-concept code or screenshots;
- How you would like to be credited (or if you wish to remain anonymous).
5. Bounty
Rewards are paid in GBP and scaled by severity, quality of report, and exploitability. Indicative ranges:
- Critical (remote code execution on production, cryptographic break): £15,000 – £60,000
- High (authentication bypass, data exposure): £4,000 – £15,000
- Medium (meaningful data integrity issue, serious misconfiguration): £800 – £4,000
- Low (minor information disclosure, low-impact UI): £100 – £800
Final awards are at our discretion. We do not pay for theoretical issues, duplicates of open reports, or findings from automated scanners without a working proof-of-concept.
6. Hall of fame
Published researchers are listed at dragonfod.com/security/hall-of-fame. If you would like to be listed, say so in your report.
7. Changes
This policy is versioned at the top of this page and in our public security.txt. The safe-harbour commitment in section 3 applies to the version of this policy in effect at the time of the research activity.