Responsible Disclosure Policy

Our Commitment

IsSafeSite is built by security researchers, for security researchers. We take the security of our platform seriously and welcome reports from the community. If you discover a vulnerability in IsSafeSite itself, we want to hear about it.

Scope

The following are in scope:

• issafesite.com — Main application and all subdomains
• API endpoints — /api/* routes
• Authentication flows — OAuth, session management
• Data handling — Scan data, SMTP credentials, user data

The following are out of scope:

• Third-party services (PayPal, Vercel, Neon, OpenAI)
• Social engineering or phishing attacks on staff
• Denial-of-service attacks
• Automated scanning without prior coordination

Reporting Guidelines

1. Email your findings to security@issafesite.com with a clear description of the vulnerability, steps to reproduce, and potential impact.
2. Include your contact information so we can follow up.
3. Do not access, modify, or delete other users' data during testing.
4. Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days).
5. Act in good faith — avoid privacy violations, destruction of data, and interruption of services.

What We Promise

• Acknowledgment — We will acknowledge receipt of your report within 48 hours
• Updates — We will provide status updates as we investigate and remediate
• No legal action — We will not pursue legal action against researchers acting in good faith
• Credit — With your permission, we will credit you in our security advisories
• Resolution — We aim to resolve critical issues within 7 days and high-severity issues within 30 days

Vulnerability Severity

Hall of Fame

We maintain a hall of fame for researchers who have responsibly disclosed vulnerabilities. If you would like to be recognized, please let us know in your report.

Contact

Security reports: security@issafesite.com

PGP key available upon request for encrypted communications.