Detector Security & Responsible Disclosure Policy
Super Nova Research Inc., operating as Draft&Goal
Version 1.0 — Last updated July 16, 2026
Super Nova Research Inc., doing business as Draft&Goal (“Draft&Goal,” “we,” “us,” or “our”), is committed to protecting Detector, its users, and Customer Data. This Policy summarizes our security approach and provides rules for good-faith vulnerability research and responsible disclosure.
This Policy is not a warranty, service-level agreement, or authorization to test systems outside the scope below. Contractual security and incident terms in an applicable Data Processing Addendum (“DPA”), Order Form, or Service Level Agreement (“SLA”) take precedence for that Customer.
Part I — Security Program
1. Governance and Risk Management
We maintain an information-security program designed to identify, assess, treat, and monitor risks to the confidentiality, integrity, and availability of Detector and Customer Data. The program includes defined responsibilities, policies, risk assessment, asset and supplier management, security review, incident response, business continuity, training, and continuous improvement.
Our information-security management practices are aligned with ISO/IEC 27001:2022, and our AI governance practices are aligned with ISO/IEC 42001:2023. Any certification, audit, or assurance status and its exact scope are stated in our Trust Center at https://trustcenter.dng.ai. References to alignment do not expand the scope of a certification or create a contractual warranty.
2. Safeguards
Depending on the system, risk, and service tier, safeguards may include:
- encryption in transit using current industry-standard transport security;
- encryption at rest for Customer Data where appropriate;
- role-based access control, least privilege, and access review;
- multi-factor authentication for privileged or internal access where appropriate;
- logical separation of Customer environments and data;
- secrets management and restrictions on production access;
- secure development practices, peer review, automated checks, and change control;
- vulnerability identification, dependency management, patching, and penetration testing;
- centralized logging, monitoring, alerting, and anomaly detection;
- backups, recovery procedures, and resilience planning;
- personnel confidentiality, security and privacy training, and offboarding controls;
- vendor security review and contractual safeguards; and
- incident response, escalation, evidence preservation, and lessons learned.
Security controls evolve with risks, technology, and service design. No system can be completely secure, and we do not guarantee that all attacks or defects will be prevented.
3. Customer Responsibilities
Security is shared. Customers must:
- protect credentials, devices, API keys, exports, and integrations;
- use unique passwords and available multi-factor authentication;
- grant only necessary access and promptly remove former users;
- keep contact and administrator details current;
- configure integrations and sharing appropriately;
- avoid submitting secrets or sensitive regulated data unless expressly supported; and
- promptly report suspected compromise to security@dng.ai.
4. Security Incidents
We maintain procedures to identify, contain, investigate, remediate, document, and learn from security incidents. Where an incident affects Personal Information or Customer Data, we will notify affected Customers, individuals, regulators, or other parties as required by law, the DPA, and the applicable agreement.
Customers should report suspected account compromise, unexpected access, or data exposure to security@dng.ai. For urgent reports, begin the subject line with “URGENT SECURITY INCIDENT.” Do not include passwords, private keys, full payment-card data, or unnecessary Personal Information in email.
5. Assurance Information
Enterprise Customers may request available security documentation, subprocessor information, or assurance materials through https://trustcenter.dng.ai or security@dng.ai. Access may require authentication, a confidentiality agreement, or a legitimate business need. Any SLA, audit right, data-residency commitment, or customized control must be stated in an Order Form or DPA.
Part II — Responsible Vulnerability Disclosure
6. Scope
Unless we state otherwise in the Trust Center, the following first-party assets are in scope:
https://detector.dng.ai;- first-party Detector API endpoints expressly documented for public or Customer use; and
- other Internet-facing assets that display or link directly to this Policy and are owned and operated by Super Nova Research Inc.
The following are out of scope:
dng.ai,studio.dng.ai, or other Draft&Goal services unless they separately link to this Policy or we confirm scope in writing;- third-party services and infrastructure, including hosting, payment, identity, analytics, advertising, content-delivery, and model providers;
- Customer-controlled websites, domains, integrations, accounts, data, or deployments;
- employee, contractor, or user devices and accounts;
- physical premises and physical security; and
- any system you do not reasonably believe is owned and operated by us.
If ownership or scope is unclear, ask security@dng.ai before testing. This Policy cannot authorize testing of a third party’s system.
7. Permitted Good-Faith Research
Research is permitted under this Policy only if you:
- act in good faith to identify and report a security vulnerability;
- test only in-scope assets and use accounts and data you own or are expressly authorized to use;
- use the minimum interaction and data necessary to demonstrate the issue;
- avoid harm, disruption, degradation, privacy intrusion, and access to other users’ data;
- stop immediately if you encounter Customer Data, Personal Information, credentials, secrets, or evidence of active compromise;
- do not retain, copy, download, transmit, modify, delete, or disclose data beyond the minimal evidence necessary;
- report the issue promptly and keep it confidential during coordination;
- give us a reasonable opportunity to investigate and remediate before public disclosure;
- comply with applicable law; and
- follow our reasonable instructions to reduce risk or validate remediation.
Use test accounts wherever possible. If proof requires a potentially harmful action, describe the proposed test and obtain written authorization before performing it.
8. Prohibited Testing
You must not:
- conduct denial-of-service, distributed denial-of-service, stress, load, resource-exhaustion, or amplification testing;
- use destructive payloads, ransomware, malware, persistence, botnets, or command-and-control infrastructure;
- perform social engineering, phishing, vishing, smishing, credential stuffing, password spraying, brute force, or attacks on users or personnel;
- send spam or unsolicited messages;
- access, alter, delete, exfiltrate, or publicly expose Customer Data or Personal Information;
- test payment methods with stolen, invalid, or unauthorized financial information;
- bypass physical security, employee controls, or third-party service protections;
- conduct automated scanning at a volume that degrades service or exceeds documented rate limits without written permission;
- pivot from Detector to another system, establish persistence, or use a vulnerability to access an additional account;
- extort, threaten, demand payment, or condition confidentiality on compensation; or
- publicly disclose an unremediated issue contrary to Section 12.
The Acceptable Use Policy continues to apply.
9. Safe Harbor
If you make a good-faith effort to comply with this Policy, we will treat your research as authorized under this Policy and will not initiate legal action against you for an accidental, good-faith violation. If a third party initiates legal action based solely on compliant research of our in-scope assets, we will take reasonable steps to clarify that the research was conducted under this Policy.
Safe harbor does not apply to conduct that is malicious, reckless, unlawful, outside scope, harmful, coercive, or continued after we ask you to stop. It does not bind third parties, regulators, or law-enforcement authorities and does not give permission to violate another person’s rights. If you are uncertain whether an action is permitted, contact us before acting.
We consider research consistent with this Policy to be conducted in a manner intended to avoid harm under applicable anti-circumvention and computer-access laws. This statement is not legal advice and does not waive rights unrelated to compliant research.
10. How to Report
Email security@dng.ai with the subject “Detector Vulnerability Report — [short title]” and include, where available:
- affected asset, URL, endpoint, and feature;
- vulnerability type and potential impact;
- clear reproduction steps using a test account;
- minimal proof of concept, request and response details, screenshots, or logs;
- date and time observed and relevant environment information;
- whether any Personal Information or Customer Data may have been exposed;
- suggested remediation, if known;
- your name or handle and preferred contact method; and
- whether you want public acknowledgment after remediation.
Redact credentials, tokens, Personal Information, and Customer Data. Do not attach executable malware. If sensitive evidence is necessary, first request a secure transfer method from security@dng.ai.
Anonymous reports are accepted, but we may be unable to ask clarifying questions or provide updates.
11. Our Response
We aim to:
- acknowledge a complete report within three (3) business days;
- provide an initial triage or request more information within ten (10) business days;
- prioritize remediation based on likelihood, impact, exploitability, and affected data; and
- provide status updates at reasonable intervals for validated material issues.
These are targets, not SLAs. Complex issues, third-party dependencies, duplicate reports, incomplete information, or legal constraints may require more time. We may ask you to validate a fix using only the methods permitted here.
12. Coordinated Disclosure
Do not publicly disclose a suspected vulnerability, exploit, affected data, or technical details until we confirm remediation or we agree in writing on disclosure timing. We will work in good faith toward coordinated disclosure appropriate to the risk.
If no timeline is agreed, we ask that you allow at least ninety (90) days after we validate the report before disclosure. A longer period may be necessary where disclosure would create a material risk to users, expose Personal Information, violate law, or depend on a third-party fix. We will not unreasonably delay disclosure after the risk is addressed.
Any disclosure must protect users and Personal Information, omit exploit-enabling details that remain dangerous, and accurately describe the scope and status of remediation.
13. Recognition and Rewards
We may acknowledge researchers who submit valid reports and request recognition, subject to their consent and legal or confidentiality constraints. This Policy does not create a bug bounty or promise payment, reward, employment, or contract. Any reward is discretionary unless a separate written bounty program states otherwise.
14. Exclusions and Report Quality
The following are generally not security vulnerabilities unless they create a demonstrable material impact:
- missing best-practice headers without an exploitable consequence;
- self-XSS or issues requiring a victim to paste code into developer tools;
- clickjacking on pages with no sensitive action;
- rate-limit observations without a practical security impact;
- scanner-only reports without validation;
- version disclosure or banner information;
- email spoofing claims without evidence of a domain configuration defect;
- denial-of-service findings prohibited by Section 8;
- social-engineering scenarios;
- concerns about AI classification accuracy, model bias, prompt quality, or hallucination without a security impact; and
- vulnerabilities solely in an out-of-scope third-party service.
Quality, false-positive, or AI-safety concerns that are not security vulnerabilities should be sent to detector@dng.ai.
15. Changes and Contact
We may update this Policy as Detector and security practices evolve. The version posted at https://detector.dng.ai/legal/security-responsible-disclosure is current.
Security and vulnerability reports: security@dng.ai
Detector support and quality issues: detector@dng.ai
Privacy: privacy@dng.ai
Legal: legal@dng.ai
Super Nova Research Inc. (d/b/a Draft&Goal)
6795 rue Marconi, Bureau 200
Montréal (Québec) H2S 3J9, Canada