Vulnerability Disclosure Policy — ScamLens
Last updated: 2026-04-16
Scope
This policy covers security research performed against assets under:
*.scamlens.org- ScamLens Chrome Extension (Chrome Web Store ID: OrangeDuck)
- ScamLens public API (
api.scamlens.org)
Third-party services (Stripe, Google Auth, Cloudflare, Brevo, Resend) are out of scope — report directly to those vendors.
Safe harbor
We will not pursue legal action against researchers who:
- Act in good faith and comply with this policy
- Do not access, modify, or exfiltrate data beyond what's necessary to demonstrate the vulnerability
- Do not disrupt services or degrade user experience
- Report promptly and maintain confidentiality until remediation
Out of scope
- Denial of service / load testing against production
- Social engineering of staff or users
- Physical attacks
- Reports from automated scanners without confirmed impact
- Self-XSS and clickjacking on pages with no sensitive state
- Missing best-practice headers on static assets (already tracked internally)
How to report
Email [email protected] with:
- Title and affected asset
- Steps to reproduce (clear, minimal)
- Impact analysis (what could an attacker achieve)
- Suggested remediation (optional)
We acknowledge within 48 hours. Remediation targets: Critical 7 days, High 14 days, Medium 30 days, Low best-effort.
Recognition
Validated reports are acknowledged on the Security acknowledgments page with your preferred name (or anonymously on request).