Security policy
How to report a vulnerability in Sekrd. We run a scanner, so you'd expect us to take our own security seriously. We do.
Report a vulnerability
Email security@sekrd.com with reproduction steps, impact, and a suggested severity. Encrypt with our PGP key at /.well-known/pgp-key.txt if the details are sensitive.
You'll receive a human reply within 2 business days and a triage outcome within 5 business days. Fixes ship to production as soon as they're verified.
Scope
In scope
sekrd.com— marketing site, dashboard, admin panelapi.sekrd.com— scan API, webhooks, auth endpoints- Sekrd scan engine itself (authenticated scan submissions, result access, integration creds)
- Paddle webhook handler (revenue-security class — we treat this as critical)
- Public scan-report pages behind view-token
Out of scope
- Third-party services (Paddle, Cloudflare Turnstile, SMTP) — report directly to them
- Rate-limit / DoS reports without a concrete bypass
- CSP or security-header recommendations (we know; run our own scanner on us)
- Reports from automated scanners without manual verification
- Findings requiring physical access to Anthropic / AWS infra
- Social engineering of Sekrd employees
Safe harbor
If you follow this policy in good faith we will not pursue civil action, file criminal complaints, or make DMCA takedown requests against you. We extend this safe harbor to you personally and, if you're an employee, to your employer when the research is authorized.
We adhere to disclose.io core terms. Good-faith research is protected; research that's destructive, coercive, or extracts customer data beyond proof-of-concept is not.
Rules
- Test only against accounts you own or explicitly have permission to use. Don't touch other customers' scans, reports, or data.
- If you access data that isn't yours, stop immediately, document how, and include that in your report. Don't download, store, share, or analyze it beyond proof-of-concept.
- Don't brute-force credentials. Rate-limit your tests to a reasonable volume.
- Don't run destructive payloads (wipe, inject persistent content, DoS).
- Don't social-engineer our employees or customers.
- Keep findings private until we publicly acknowledge the fix, or 90 days have passed — whichever is first.
Disclosure timeline
- Day 0: you email
security@sekrd.com - Day 2: human acknowledgement
- Day 5: triage outcome (severity + planned timeline)
- Day 30: fix deployed for critical/high
- Day 90: public acknowledgement + CVE if applicable
Recognition
We do not operate a public cash-bounty program at this time. Researchers who report validated issues in good faith receive:
- Public acknowledgment on our hall of fame (with your preferred name / handle / no attribution — your choice).
- A direct response from our security team, with remediation status updates.
- For exceptional reports with real impact: case-by-case reward at our discretion (could be swag, account credit, or monetary, decided per report).
A formal triage-backed bug-bounty program (with defined scope, cash tiers, and managed intake) is on our roadmap once we have the volume to run it responsibly via a platform such as HackerOne. Until then we will not publish per-severity cash amounts, to avoid creating the wrong incentives for bad-faith submissions.
Acknowledgments
Researchers who have reported validated issues are listed on our trust center.
If this is your first responsible-disclosure submission, tell us — we'll help you through it. Everyone starts somewhere.
This policy adheres to RFC 9116 (security.txt). Machine-readable contact at /.well-known/security.txt.