Responsible Disclosure

Last updated: 2026-05-29.

Scam Checker welcomes good-faith security research. If you think you've found a vulnerability, please email us beforedisclosing it publicly. We'll read every report and try to respond within a few business days.

How to report

• Email security@scamchecker.app
• Include reproduction steps, the affected URL or API route, and the impact.
• Where useful, attach a minimal proof of concept. Do NOT include real user data — synthetic test values only.

In scope

• The Scam Checker production site at scamchecker.app and all subpaths.
• The public source code in the GitHub repository.

Rules of engagement

• No destructive testing.Don't delete, modify, or exfiltrate data. Demonstrate impact, then stop.
• Don't access other users' data. If a bug allows it, prove the access exists on a test account or with placeholder data, then report.
• No automated mass scanning that causes service degradation. The site runs on a small Vercel project and a single database — please be gentle with rate.
• No social engineering of operators, contributors, or third-party providers (Vercel, GitHub, Google).
• No physical attacks— we don't own infrastructure for that to apply to anyway.
• Give us reasonable timeto remediate before publishing details (typically 90 days, though we'll work to be faster).

Out of scope

• Reports about third-party services (Vercel, GitHub, Google Analytics, Prisma) — please report those to the vendor.
• Best-practice missing-header reports without a concrete impact path.
• Issues that require the victim to install hostile browser extensions, or to be on a compromised device.
• Self-XSS that requires the victim to paste payloads into developer tools.
• Volumetric DoS / DDoS demonstrations.

What you can expect back

• Acknowledgement of the report within a few business days.
• A triage decision (accepted / duplicate / out of scope) with reasoning.
• Where appropriate, public acknowledgement once the issue is fixed (with your permission and preferred handle).

Safe harbour

We treat good-faith research that follows the rules above as authorised. We won't pursue legal action, regulatory complaints, or platform reports against researchers who report vulnerabilities to us in this way. This is engineering practice, not legal warranty — see the disclaimer and terms.