Security Policy
Effective Date: June 3, 2026
diana drive music ("we", "us", or "our") takes the security of dianadrive.com seriously. This Security Policy describes how we handle reports of potential security vulnerabilities and our expectations for responsible disclosure.
Scope
This policy applies to security vulnerabilities affecting:
- The dianadrive.com website and its static assets
- The contact form and associated spam protection (Turnstile)
- Our Cloudflare Workers: the X ("Focus On") feed, tour dates feed, and lyrics feed
- Related infrastructure we directly control
This policy does not cover:
- Third-party services we rely on (Formspree for form processing, Cloudflare for hosting/security/analytics, Bandsintown for tour data, YouTube, social platforms, our external merch store, or VIP Fan List provider). Please report issues directly to those organizations.
- Physical security, social engineering, or phishing attempts targeting individuals.
- Denial-of-service or availability attacks that impact other users.
- Issues that require physical access to our systems or devices.
Reporting a Vulnerability
We encourage responsible disclosure of security issues. The preferred methods are:
- Email (preferred): security@dianadrive.com
- The contact form on this site as a fallback (select an appropriate subject and clearly mark the message as a security report — note that form submissions are processed by a third-party service)
Please include as much of the following as possible:
- A clear description of the vulnerability
- Step-by-step instructions to reproduce the issue
- Proof-of-concept code, screenshots, or other evidence (do not include sensitive data)
- Potential impact and severity assessment
- Any suggested mitigations
What You Can Expect From Us
We aim to:
- Acknowledge receipt of your report within 5 business days
- Provide regular updates on the status of our investigation
- Work with you to understand and validate the issue
- Remediate confirmed critical vulnerabilities within 30 days, and other confirmed vulnerabilities within 90 days
- Publicly credit you (with your permission) once the issue is resolved
Safe Harbor for Good-Faith Research
We will not pursue civil or criminal action against researchers who:
- Make a good-faith effort to discover and report security issues
- Do not intentionally harm the site, its visitors, or our systems
- Do not exfiltrate, modify, or destroy data beyond what is required to demonstrate the vulnerability
- Do not perform attacks that degrade service for other users
- Give us a reasonable amount of time to investigate and remediate before any public disclosure
- Comply with all applicable laws
This safe harbor applies only to research conducted in accordance with this policy.
Out of Scope
The following are generally not considered valid security vulnerabilities under this policy and may not receive a response or recognition:
- Spam, abuse, or brute-force attempts against the contact form
- Issues affecting only third-party services
- Publicly known or previously reported issues
- Theoretical vulnerabilities without a working proof of concept
- Low-severity issues such as missing security headers that do not lead to exploitable impact on this site
- Self-XSS or issues that require the victim to perform specific actions
Recognition
We value the security research community. With your permission, we may publicly acknowledge researchers who responsibly report valid issues (for example, via our X account, in future site credits, or in a Hall of Fame if one is established).
We do not currently operate a monetary bug bounty program.
Third-Party Services
Many components of our site are provided by trusted third parties. Vulnerabilities in those services should be reported through their own disclosure programs:
- Cloudflare (hosting, Turnstile, Web Analytics, Workers)
- Formspree (contact form processing)
- Bandsintown (tour data is proxied through our own Cloudflare Worker + KV cache — vulnerabilities in Bandsintown's own infrastructure should be reported directly to them)
- YouTube and other social/streaming platforms
Changes to This Policy
We may update this Security Policy from time to time. The updated version will be indicated by an updated "Effective Date" and will be posted on this page.
Contact
For security vulnerability reports, please use one of the methods listed above or refer to our security.txt file.
For general questions, use the contact form or email us at info@dianadrive.com.
Last updated: June 3, 2026