Security & Responsible Disclosure

We take security seriously. If you find a vulnerability, here's how to report it.

Reporting a vulnerability

We welcome reports from security researchers. Please email security@xploitscan.com with the details of any vulnerability you find.

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce (commands, URLs, payloads)
  • Impact assessment (what can an attacker do?)
  • Your name or handle, if you'd like acknowledgment

We'll acknowledge receipt within 2 business days and keep you updated on our progress. If we agree on a fix timeline, we ask that you delay public disclosure until the fix is deployed.

Scope

The following are in scope for this program:

  • xploitscan.com and all subdomains
  • xploitscan-api.vercel.app (our scan API)
  • The xploitscan npm package
  • The XploitScan GitHub Action
  • XploitScan source code in our public repositories

Out of scope

  • Social engineering of XploitScan staff, customers, or vendors
  • Physical attacks or attacks requiring physical access
  • Denial of service (DoS) attacks against production infrastructure
  • Vulnerabilities in third-party services we use (Clerk, Stripe, Vercel, Turso) — report those to the vendor
  • Missing security headers that do not lead to an exploit
  • Self-XSS that requires a user to attack themselves
  • Clickjacking on pages with no sensitive actions
  • Rate limit bypasses on non-authenticated endpoints without further impact

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Only test against their own accounts or accounts they have explicit permission to test
  • Do not exploit a vulnerability beyond what is necessary to confirm its existence
  • Give us reasonable time to fix the issue before public disclosure (typically 90 days)
  • Do not access, modify, or delete other users' data

If you follow this policy in good faith, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action.

Response timeline

  • Acknowledgment: within 2 business days
  • Triage & severity assessment: within 5 business days
  • Fix timeline: depends on severity (critical: 1-7 days, high: 7-30 days, medium/low: 30-90 days)
  • Public disclosure: coordinated with reporter, typically 90 days after initial report or when a fix ships, whichever comes first

Rewards

XploitScan is a small independent company and we don't currently run a paid bug bounty program. We will, however, acknowledge researchers publicly (with permission) and provide a complimentary Pro subscription as a thank-you for any valid report. A formal bug bounty is on our roadmap.

Acknowledgments

Security researchers who have helped improve XploitScan will be listed here with their permission. No reports yet — be the first.

Contact

For security issues, email security@xploitscan.com.

For general support, email admin@xploitscan.com.