Security — ScamLens

Reporting a vulnerability

Email [email protected] with a description, steps to reproduce, and impact. We acknowledge within 48 hours and aim to remediate critical issues within 7 days.

See our vulnerability disclosure policy for scope, safe-harbor terms, and recognition.

Machine-readable summary: /.well-known/security.txt

How we protect data

• TLS 1.2+ enforced everywhere (HSTS preload, 1-year).
• Cloudflare Zero Trust + D1 isolation per namespace.
• API keys encrypted at rest (AES-256-GCM) and scoped per project.
• No user-submitted content is shared with third parties outside the documented threat-intelligence aggregations.
• Least-privilege IAM on all cloud integrations; secret rotation every 90 days.

Incident response

Active incidents and historical post-mortems will be published at status.scamlens.org (rolling out). Critical incidents are disclosed to affected users within 72 hours, consistent with GDPR Article 33.

Compliance

• GDPR / UK GDPR: Lawful basis documented; Data Processing Agreement available on request.
• CCPA / CPRA: Do-Not-Sell honored; DSAR turnaround within 45 days.
• SOC 2 Type II: Audit scheduled for 2026 Q3.
• PCI: payments processed by Stripe; ScamLens does not store card data.

Acknowledgments

Our hall-of-fame for researchers who have helped harden ScamLens will be listed here as we acknowledge valid reports.