Security

Responsible Disclosure

We take security seriously. If you've found a vulnerability in DineHub, we want to hear from you. We appreciate researchers who help us keep our platform and our customers' data safe.

Updated: May 2026 · security.txt · info@dinehub.org

Scope

The following assets are in scope for responsible disclosure. Please only test against accounts and data you own.

In Scope
  • dinehub.org and all subdomains
  • Firebase Hosting (tavolina-ime)
  • Cloud Functions API endpoints
  • Authentication flow (OTP, email verification)
  • Reservation booking flow
  • Dashboard and admin panel
  • Firestore security rules
Out of Scope
  • Denial of service attacks
  • Social engineering of staff
  • Physical security
  • Third-party services (Firebase, Google)
  • Issues requiring physical device access
  • Automated scanner output without PoC
  • Rate limiting / brute-force on public endpoints

How to Report

Send your report to info@dinehub.org. Please include as much detail as possible so we can reproduce and assess the issue quickly.

What to include

A good report contains:

  • · Description of the vulnerability and its potential impact
  • · Affected URL, endpoint, or component
  • · Step-by-step reproduction instructions
  • · Screenshots, screen recordings, or proof-of-concept code
  • · Your name or handle (for Hall of Fame acknowledgment)
Ready to report a vulnerability? We respond to all valid reports within 5 business days.
Send Report

What Happens Next

1
Acknowledgement We'll confirm receipt of your report within 5 business days.
2
Assessment We triage and assess the severity. We may follow up with questions to better understand the issue.
3
Resolution We work to fix the issue. We'll keep you updated on our progress and expected timeline.
4
Disclosure Once resolved, we'll coordinate with you on public disclosure timing. With your consent, we'll add you to our Hall of Fame.

Guidelines

We ask that researchers follow responsible disclosure practices:

Do — give us reasonable time to fix the issue before public disclosure. We aim to resolve critical issues within 30 days and less severe issues within 90 days.

Do not — access, modify, or delete data belonging to other users. Do not perform actions that degrade service availability or affect other users' experience.

Do not — disclose the vulnerability publicly before we've had a chance to address it.

We currently operate a good-faith acknowledgment programme rather than a paid bounty. Researchers who report valid, in-scope vulnerabilities will be credited publicly in our Hall of Fame (with their consent) and will receive our sincere thanks.

Safe Harbour

We consider responsible security research conducted in accordance with this policy to be authorised. We will not pursue civil or criminal action against researchers who make a good-faith effort to comply with these guidelines. We will work with you to understand and resolve the issue quickly. Testing must be done only against your own accounts and must not impact other users.

Hall of Fame

We recognise and thank the researchers who have responsibly disclosed vulnerabilities to us. Be the first on this list.

No researchers yet — yours could be the first name here.