HomeSecurity Policy

Security Policy

Last updated: March 2026

Responsible Disclosure Policy

At WP Security Scanner, security is at the core of everything we do. We value the work of independent security researchers who help us keep our platform and users safe. If you've discovered a vulnerability, we want to hear from you.

Scope

This policy applies to all services and systems operated by WP Security Scanner, including:

  • The main web application and all subdomains
  • Our public REST API
  • Authentication and billing systems

How to Report

If you believe you've found a security vulnerability, please report it through our contact page. Include as much detail as possible:

  • A description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your contact information for follow-up questions

What to Expect

  • Acknowledgment: We will acknowledge your report within 48 hours
  • Assessment: Our team will investigate and validate the issue within 5 business days
  • Resolution: We aim to resolve confirmed vulnerabilities within 30 days, depending on severity
  • Communication: We will keep you informed of our progress throughout the process

Guidelines

We ask that you:

  • Give us reasonable time to address the issue before public disclosure
  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not perform actions that could impact the availability of our services (e.g., denial of service)
  • Do not target other users' accounts or data
  • Act in good faith to avoid privacy violations and disruptions

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who follow these guidelines. We will work with you to understand and resolve the issue quickly.

Out of Scope

The following are generally out of scope:

  • Social engineering attacks (phishing, vishing)
  • Physical security issues
  • Issues in third-party services we use but do not control
  • Spam or rate limiting without demonstrated security impact
  • Missing security headers without a demonstrated exploit

Contact

For security reports, please use our contact page. For our machine-readable security policy, see /.well-known/security.txt.