Security Policy
Last updated: March 2026
Responsible Disclosure Policy
At WP Security Scanner, security is at the core of everything we do. We value the work of independent security researchers who help us keep our platform and users safe. If you've discovered a vulnerability, we want to hear from you.
Scope
This policy applies to all services and systems operated by WP Security Scanner, including:
- The main web application and all subdomains
- Our public REST API
- Authentication and billing systems
How to Report
If you believe you've found a security vulnerability, please report it through our contact page. Include as much detail as possible:
- A description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any relevant screenshots, logs, or proof-of-concept code
- Your contact information for follow-up questions
What to Expect
- Acknowledgment: We will acknowledge your report within 48 hours
- Assessment: Our team will investigate and validate the issue within 5 business days
- Resolution: We aim to resolve confirmed vulnerabilities within 30 days, depending on severity
- Communication: We will keep you informed of our progress throughout the process
Guidelines
We ask that you:
- Give us reasonable time to address the issue before public disclosure
- Avoid accessing, modifying, or deleting data that does not belong to you
- Do not perform actions that could impact the availability of our services (e.g., denial of service)
- Do not target other users' accounts or data
- Act in good faith to avoid privacy violations and disruptions
Safe Harbor
We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who follow these guidelines. We will work with you to understand and resolve the issue quickly.
Out of Scope
The following are generally out of scope:
- Social engineering attacks (phishing, vishing)
- Physical security issues
- Issues in third-party services we use but do not control
- Spam or rate limiting without demonstrated security impact
- Missing security headers without a demonstrated exploit
Contact
For security reports, please use our contact page. For our machine-readable security policy, see /.well-known/security.txt.