Vulnerability Disclosure Policy

Our vulnerability disclosure policy

Latest update: October 3, 2025

ScanDog is a cybersecurity-focused platform. We recognize that any system or infrastructure may have vulnerabilities. We strongly encourage responsible reporting of security vulnerabilities to protect ScanDog, our customers, partners, and stakeholders, making the digital ecosystem safer.

Contact

You can submit vulnerabilities via security[at]scandog.io

Vulnerability Disclosure Policy (VDP)

Safe harbour

ScanDog will not pursue legal action against individuals acting in accordance with this policy.

If third parties attempt legal action for compliant reporting, we will support the researcher and notify relevant authorities if necessary.

Our promise

  • Timely review and acknowledgment of vulnerability reports.
  • Open communication with the reporter.
  • Timeline guidance for remediation; standard disclosure deadline is 90 days.

Your promise

By reporting, you agree to:

  • Use vulnerabilities only for responsible disclosure to ScanDog.
  • Report exclusively and promptly after detection.
  • Avoid any actions intended to harm ScanDog, customers, partners, or stakeholders.

Bug bounty

ScanDog currently does not offer a bug bounty program, though this may change in the future.

Scope

This VDP applies to:

Excluded from scope:

Prohibited activities

The following are not permitted under this VDP:

  • Denial of service attacks (including resource exhaustion, high-load automated scanners, data deletion, fuzzing)
  • Spamming
  • Social engineering (including phishing)
  • Physical attacks (e.g., entering or surveilling properties)
  • Attacks on non-internet-facing systems (internal networks, private IPs, workstations, etc.)
  • Installing persistent backdoors

Out-of-scope issues

The following issues do not fall under this VDP:

  • Lack of DKIM/SPF/DMARC records
  • Missing HTTP headers (CSP, Permissions-Policy, etc.)
  • Clickjacking without practical impact
  • Missing cookie flags
  • Non-sensitive information disclosure (robots.txt, sitemap.xml, files, directories)
  • Self-attacks or low-impact CSRF
  • Open ports without exploitability
  • Vulnerabilities requiring unrealistic preconditions
  • Lookalike domains or homograph attacks
  • Broken links or metadata in assets (images, PDFs)
  • Theoretical vulnerabilities without realistic exploit
  • Outdated software without proven security impact
  • Third-party vulnerabilities recently patched (within 2 weeks)

Thank you ❤️

Thank you to everyone who responsibly reports vulnerabilities to ScanDog. Your efforts help make our platform and the broader community more secure.

Shrink your AppSec debt by 95% in less than 2h