Responsible Disclosure

We welcome reports of vulnerabilities in Security:Lab itself. Reports that follow the principles below will not trigger legal action and receive a reply as quickly as we reasonably can.

1. In scope

• Everything served from the security.elab-studio.xyz domain.
• Flaws in the scan pipeline, token issuance, or report-viewing paths.

2. Out of scope

• Vulnerabilities found in the target domain of a scan— please handle those directly with that domain's owner.
• Policy/UX complaints and issues originating from third-party services (OSV.dev, hosting, CDN).
• Purely informational header omissions (e.g., X-Powered-By).

3. Safe testing

• Use only accounts and data you own. If proving impact requires access to someone else's data, stop at a proof-of-concept string and report.
• Availability-impacting tests (DoS, request floods) are forbidden.
• Please do not publicly disclose issues until they are confirmed fixed.

4. How to report

Email gdode2080@gmail.com with:

• Affected path or endpoint.
• Reproduction steps and estimated impact.
• Proof-of-concept where feasible (short, non-destructive).
• A contact address for follow-up.

5. Response SLA

• Acknowledgement: within 3 business days.
• Triage decision: within 10 business days.
• Fix and disclosure: on a mutually agreed timeline based on severity.

6. Acknowledgement

Valid reports may be credited on a public page (or anonymized at your request). We do not currently operate a paid bug-bounty program.