Skip to content
OpenScouter Docs

Vulnerability Disclosure

Last updated: March 2026

Security research helps keep OpenScouter safe for testers and businesses. If you have discovered a potential vulnerability, we want to hear from you. This page explains what is in scope, how to report, and what to expect.

How to Report

Send vulnerability reports to security@openscouter.com.

Encrypt sensitive reports using our PGP key, available at openscouter.com/.well-known/security.txt.

Include as much detail as you can:

  • A description of the vulnerability and its potential impact.
  • The affected component (platform, browser extension, API endpoint).
  • Steps to reproduce, including any proof-of-concept code or screenshots.
  • Your assessment of severity.

You do not need to have a complete exploit to report. Early-stage findings are welcome.

Scope

The following systems are in scope for vulnerability research:

Web platform

  • openscouter.com and all paths under it
  • The authenticated application at openscouter.com

Browser extension

  • The OpenScouter browser extension published on the Chrome Web Store and Firefox Add-ons

API

  • The REST API at openscouter.com/api/
  • Webhook endpoints used for Stripe and Telegram integrations

Out of Scope

The following are not in scope and reports relating to them will not be acted on:

  • Denial-of-service attacks (volumetric or application-layer)
  • Social engineering of OpenScouter staff or users
  • Physical attacks against infrastructure
  • Vulnerabilities in third-party services we use (report these to the respective vendor)
  • Security issues in end-of-life browser versions
  • Missing HTTP headers that have no demonstrated impact
  • Self-XSS that requires the attacker to execute code in their own browser context
  • Reports generated entirely by automated scanners with no manual analysis

Safe Harbor

We will not pursue legal action against researchers who:

  • Report vulnerabilities to us privately before public disclosure.
  • Do not access, modify, or delete user data beyond what is necessary to demonstrate the issue.
  • Do not disrupt platform availability or degrade performance for other users.
  • Do not disclose vulnerability details publicly until we have confirmed a fix.
  • Act in good faith throughout the process.

We consider responsible security research to be a positive contribution. We will not treat it as a violation of our terms of service.

What to Expect

After you submit a report:

  1. We will acknowledge receipt within 48 hours.
  2. We will confirm whether the report is in scope and provide an initial severity assessment within 5 business days.
  3. We will keep you updated on progress as we investigate and fix the issue.
  4. We will notify you when the fix has been deployed.

We aim to resolve critical vulnerabilities within 30 days and high-severity vulnerabilities within 60 days. More complex issues may take longer. We will communicate delays proactively.

Researcher Recognition

We maintain a Hall of Fame for researchers who report valid, in-scope vulnerabilities. Recognition is opt-in: let us know in your report if you would like to be listed, and whether you prefer your name, handle, or to remain anonymous.

We do not currently offer a monetary bug bounty programme. We are grateful for research contributions and recognise them publicly where the researcher consents.

Coordinated Disclosure

We ask for a 90-day disclosure window before publishing details of a vulnerability publicly. If you intend to present findings at a conference or publish a write-up, let us know so we can coordinate timing.

If we are unable to fix a vulnerability within 90 days, we will work with you on a disclosure timeline that balances transparency with user safety.