Security Policy

Vulnerability Disclosure Policy

Last updated: March 2026 5000fish, Inc.

5000fish, Inc. takes the security of DashboardFox seriously. We welcome reports from security researchers who discover potential vulnerabilities in our systems. This policy explains what is in scope, how to submit a qualifying report, and what you can expect from us in return.

Scope

This policy covers properties operated by 5000fish, Inc. Reports on anything outside this scope will not receive a response.

In Scope

  • dashboardfox.com and all subdomains
  • dashboardfox.app and all subdomains (including my., my-eu., customer workspaces)
  • 5000fish.com

Out of Scope

  • Self-hosted / on-premise DashboardFox installations
  • Third-party services (Cloudflare, Stripe, Chargebee, etc.)
  • Social engineering, phishing, physical attacks
  • Denial-of-service (DoS/DDoS) testing
  • Automated scanner output without manual verification
  • SPF/DKIM/email spoofing without demonstrated impact
  • yurbi.com — separate product, separate process

What We Want to Hear About

We're interested in reports that demonstrate real security impact:

  • Authentication or authorization bypass
  • Cross-site scripting (XSS) with demonstrated impact
  • SQL injection or other server-side injection vulnerabilities
  • Privilege escalation between accounts or workspaces
  • Exposure of sensitive customer data
  • Significant security misconfigurations with demonstrable risk

Report Quality Requirements

To be considered, every report must include all of the following:

  • The affected URL, endpoint, or component
  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions or a working proof of concept
  • Relevant screenshots, HTTP requests/responses, or supporting evidence
Reports that do not meet these requirements will not receive a response. We receive a high volume of low-quality and automated reports and cannot triage them individually. This is not personal — it exists to protect the time needed to investigate legitimate findings.

How to Report

Send qualifying reports by email to team@dashboardfox.com with the subject line [Security]. English preferred.

Please do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate.

Response Timelines

Acknowledgement
5 business days
Status Update
14 business days
Bug Bounty
Not offered

For valid, high-impact findings we are happy to provide public acknowledgement in our changelog or security advisories if you wish.

Safe Harbor

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy. We ask that you:

  • Only test against accounts and data you own or have explicit permission to test
  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not disrupt services or degrade the experience for other customers
  • Allow us reasonable time to respond before any public disclosure
This policy is intended to be consistent with the disclose.io framework for responsible disclosure.

Questions about this policy or to submit a qualifying report:

team@dashboardfox.com — use subject line [Security]
Early Access — 90 Days Free

Built lean. Priced fairly. Supported by humans.

Full access to all features. No credit card required.

Start Free Trial Have questions? Let's talk

Prefer no subscriptions & full control? Self-hosted from $4,995 one-time →

We'll notify you before Early Access ends

25+ years building BI tools Support from the team that builds it Available in US & EU regions
DashboardFox mascot