Security

Security Disclosure Policy

VibeScan is a security product. We take the security of our own infrastructure seriously and welcome responsible disclosure from the security community.

How to report a vulnerability

If you discover a security vulnerability in VibeScan — including the scanning engine, API endpoints, web application, or any other service we operate — please report it to us privately before any public disclosure.

Security contact
security@vibescan.space
Monitored daily. PGP key available on request.

Please include in your report: a description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence (screenshots, request/response logs, PoC code). The more detail you provide, the faster we can remediate.

Scope

In scope
  • www.vibescan.space and subdomains
  • The VibeScan scanning API
  • Authentication system
  • Stripe payment integration
  • User data / scan results storage
  • Security badge infrastructure
Out of scope
  • Denial of service attacks
  • Physical or social engineering
  • Third-party services (Stripe, Vercel, Supabase)
  • Apps scanned by users (not our infrastructure)
  • Rate limit bypasses without security impact
  • Self-XSS or issues requiring user interaction

Our commitments to you

Acknowledgement within 48 hours

We will confirm receipt of your report and provide an initial assessment within 48 hours of receiving it.

📋
Remediation timeline within 7 days

We will communicate a timeline for remediation within 7 business days. Critical vulnerabilities are prioritised immediately.

🤝
90-day coordinated disclosure

We ask for 90 days from acknowledgement to patch and deploy a fix before any public disclosure. We will work with you on the timeline if circumstances require it.

🛡
Safe harbor

We will not pursue legal action against researchers acting in good faith, following this policy, and not accessing, modifying, or destroying user data.

🏆
Credit

We will credit researchers by name (or anonymously, by request) in our security changelog when their report leads to a confirmed fix.

Guidelines for researchers

To qualify for safe harbor and recognition, please:

  • Report issues privately to security@vibescan.space before disclosing them publicly.
  • Do not access, modify, exfiltrate, or destroy data belonging to other users.
  • Do not disrupt our service — test against your own scans and accounts only.
  • Provide sufficient detail to reproduce the issue.
  • Give us reasonable time to fix the issue before publishing.

Verification

If you need to encrypt sensitive vulnerability details, email security@vibescan.space to request our PGP public key. We will provide it within 24 hours.

Related
How VibeScan scans apps →Privacy policySecurity changelogGeneral contact