Last updated: 5 April 2026
Dinode takes the security of our platform and our customers' data seriously. We welcome responsible disclosure of security vulnerabilities from security researchers and the broader community. If you believe you have found a security vulnerability in any Dinode service, we encourage you to report it to us as described below.
This policy applies to vulnerabilities in:
The Dinode website (dinode.com and its subdomains).
The xMS platform and its APIs.
Any other services operated by Dinode Pty Ltd.
Please send vulnerability reports to security@dinode.com. Include as much detail as possible:
A description of the vulnerability and its potential impact.
Steps to reproduce the issue.
Any relevant screenshots, logs, or proof-of-concept code.
Your contact information so we can follow up.
If you would like to encrypt your report, contact us at the email above to request our PGP key.
To ensure responsible disclosure, we ask that you:
Give us reasonable time to investigate and address the issue before disclosing it publicly. We aim to acknowledge reports within 2 business days and provide an initial assessment within 10 business days.
Do not access, modify, or delete data belonging to other users.
Do not perform actions that could degrade, disrupt, or damage our services or infrastructure.
Do not use automated scanning tools against production systems without prior written approval.
Act in good faith and comply with all applicable laws.
When you report a vulnerability in accordance with this policy, we commit to:
Acknowledging your report within 2 business days.
Keeping you informed of our progress in addressing the issue.
Not pursuing legal action against you for security research conducted in good faith and in accordance with this policy.
Crediting you (if you wish) when we publicly disclose the fix.
The following are generally considered out of scope:
Social engineering (phishing) of Dinode employees or customers.
Denial of service attacks.
Vulnerabilities in third-party services or software not operated by Dinode.
Reports of missing security headers that do not demonstrate exploitable impact.
Reports from automated scanners without validated, exploitable findings.
Security reports: security@dinode.com
General enquiries: info@dinode.com