Responsible Disclosure Policy

Updated: January 1, 2026

1. Background

DNAstack is committed to ensuring the safety and security of our customers, users, and employees. We aim to foster an environment of trust and an open partnership with the security community, and we recognize the importance of responsible vulnerability disclosure and timely reporting of security concerns in maintaining the confidentiality, integrity, and availability of our systems and data.

This procedure is intended to provide a clear, responsible, and safe way for external parties to report security-related concerns so that they can be reviewed and addressed appropriately.

2. Scope

We will openly accept reports for all DNAstack products listed or linked to from the DNAstack webpage. Reports under this policy may be submitted by customers, users, security researchers, partners, or other third parties and may relate to suspected or confirmed security vulnerabilities, security incidents, or other concerns affecting DNAstack systems or services.

 This includes services located at URLs of the form:

  • dnastack.com and its subdomains. 
  • all dnastack-owned domains of the form .ai and their subdomains.  This includes, for example:
    • neuroscience.ai and its subdomains.
    • biomedical.ai and its subdomains
    • viral.ai and its subdomains
    • hifisolves.org and its subdomains
    • omics.ai and its subdomains

This includes concerns related to the unauthorized access, disclosure, alteration, or loss of personal or sensitive data processed by DNAstack.

3. Legal

DNAstack will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming DNAstack or its customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Adhere to the laws of their location and the location of DNAstack. For example, violating laws that would only result in a claim by DNAstack (and not a criminal claim) may be acceptable as DNAstack is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

4. Security Vulnerability or Incident Reporting

How to Submit a Vulnerability

To submit a security vulnerability report, suspected or confirmed security incident, or other security-related concern to DNAstack, please email security@dnastack.com with relevant details. Reports may be submitted as a link to a Google Doc or as an attachment in text, rich text, markdown, or Word (doc, .docx) format.

Preference, Prioritization, and Acceptance Criteria

DNAstack reviews and prioritizes security reports based on potential risk, impact, and severity, including potential effects on system availability, data integrity, and confidentiality.

We will use the criteria from the next sections to prioritize and triage submissions.

What we would like to see from you:

  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from DNAstack:

  • A timely response to your email (within 1 week).
  • After triage and if applicable, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, DNAstack may bring in a neutral third party to assist in determining how best to handle the vulnerability.

5. Contact

Escalation of validated security incidents or vulnerabilities through DNAstack’s internal incident response, privacy, and breach management procedures, as applicable.

For more information about this policy, please contact:

Chief Privacy and Security Officer
DNAstack
120 Adelaide St West, Suite 2500
Toronto, Ontario, Canada
M5H 1T1
privacy@dnastack.com
www.dnastack.com