Security Disclosure Policy
VibeScan is a security product. We take the security of our own infrastructure seriously and welcome responsible disclosure from the security community.
How to report a vulnerability
If you discover a security vulnerability in VibeScan — including the scanning engine, API endpoints, web application, or any other service we operate — please report it to us privately before any public disclosure.
Please include in your report: a description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence (screenshots, request/response logs, PoC code). The more detail you provide, the faster we can remediate.
Scope
- ✓www.vibescan.space and subdomains
- ✓The VibeScan scanning API
- ✓Authentication system
- ✓Stripe payment integration
- ✓User data / scan results storage
- ✓Security badge infrastructure
- —Denial of service attacks
- —Physical or social engineering
- —Third-party services (Stripe, Vercel, Supabase)
- —Apps scanned by users (not our infrastructure)
- —Rate limit bypasses without security impact
- —Self-XSS or issues requiring user interaction
Our commitments to you
We will confirm receipt of your report and provide an initial assessment within 48 hours of receiving it.
We will communicate a timeline for remediation within 7 business days. Critical vulnerabilities are prioritised immediately.
We ask for 90 days from acknowledgement to patch and deploy a fix before any public disclosure. We will work with you on the timeline if circumstances require it.
We will not pursue legal action against researchers acting in good faith, following this policy, and not accessing, modifying, or destroying user data.
We will credit researchers by name (or anonymously, by request) in our security changelog when their report leads to a confirmed fix.
Guidelines for researchers
To qualify for safe harbor and recognition, please:
- Report issues privately to security@vibescan.space before disclosing them publicly.
- Do not access, modify, exfiltrate, or destroy data belonging to other users.
- Do not disrupt our service — test against your own scans and accounts only.
- Provide sufficient detail to reproduce the issue.
- Give us reasonable time to fix the issue before publishing.
Verification
If you need to encrypt sensitive vulnerability details, email security@vibescan.space to request our PGP public key. We will provide it within 24 hours.