/security

Responsible disclosure policy.

Purpose

If you believe you have identified a security issue affecting ShieldScope, we encourage you to report it responsibly. We take security reports seriously, will respond promptly, and will not pursue legal action against researchers who act in good faith and follow these guidelines.

Scope

This policy applies only to systems and services owned and operated by ShieldScope.

In scope:

  • The ShieldScope web application at shieldscope.app
  • The ShieldScope API (shieldscope.app/api/*)
  • Security misconfigurations in the application or hosting infrastructure we control

Out of scope:

  • Third-party services ShieldScope queries as part of normal tool operation — including Cloudflare, Hetzner, Let’s Encrypt, Have I Been Pwned, and HackerTarget. Report issues in those services directly to their respective security programs.
  • Infrastructure or services not under ShieldScope’s control
  • Issues requiring physical access to systems

How to report

Submit your report using the contact form. Start your message with "Security Report" so it is routed correctly.

Please do not disclose the issue publicly until we have had an opportunity to investigate and respond — see Coordinated disclosure below.

What to include

  • A clear description of the issue and its potential impact
  • Steps to reproduce — relevant URLs, request/response pairs, or screenshots
  • Your assessment of severity and exploitability
  • Whether you would like to be credited publicly or remain anonymous

Safe harbor

If you report an issue in good faith, follow these guidelines, and stay within the scope and constraints described here, we will:

  • Not pursue legal action against you in connection with your research
  • Work with you to understand and address the reported issue
  • Acknowledge your contribution publicly if you wish to be credited

This safe harbor applies only to activities within the defined scope and consistent with these guidelines.

Testing approach

ShieldScope is built around passive analysis — we examine publicly available information without probing, exploiting, or interacting intrusively with systems. We ask that security research follow the same principle.

Please avoid:

  • Denial of service, flooding, or actions that degrade availability for other users
  • Automated exploitation, credential attacks, or brute-force attempts
  • Accessing, modifying, or deleting data belonging to other users
  • Social engineering or phishing targeting ShieldScope users or the operator
  • Automated scanning beyond what the application’s normal interface supports
  • Testing for vulnerabilities in systems outside the defined scope

Demonstrating the existence of an issue is sufficient. Exploitation beyond what is necessary to confirm it is not.

Response expectations

  • Acknowledgement — within 72 hours of receipt
  • Status update — within 14 days of acknowledgement
  • Resolution notice — we will notify you when the issue is resolved

ShieldScope is operated by an individual. Response times reflect that — we aim to be prompt but do not have a dedicated security operations team.

Coordinated disclosure

Please allow 90 days from initial report before public disclosure, to allow time for investigation and remediation. If your situation requires a different timeline, contact us — we will work with you in good faith. We will not ask for unreasonable delays.

Last updated: 2026-05-16 · security.txt · Submit a report