Security Testing Guidelines
We value the efforts of the security community in identifying vulnerabilities and keeping our platform safe. If you believe you've found a security issue, please read the guidelines below before testing or reporting.
Responsible Testing
- Test only on your own accounts and data, unless explicitly permitted.
- Use non-destructive methods. Avoid automated tools or scanners that may overload our systems.
- Report issues promptly through our security disclosure page.
- Provide clear and reproducible steps for the issue.
- Allow us reasonable time to fix the issue before public disclosure.
Prohibited Activities
- Do not perform denial of service (DoS or DDoS) attacks or simulate traffic floods.
- Do not attempt to access or modify data that does not belong to you.
- Do not use social engineering, phishing, or physical intrusion methods.
- Do not submit spam, fake vulnerabilities, or participate in black-hat activities.
- Do not attempt to disrupt or degrade the availability of our services.
Scope & Disclosure
We appreciate all good-faith efforts to report security issues. While we may not offer a financial bounty at this time, we're happy to publicly recognize contributors in our Security Hall of Fame as well as send you some sticker swag.
- Focus on application-level issues (e.g., XSS, CSRF, auth bypass, misconfigurations).
- Out-of-scope findings include missing SPF/DMARC records, outdated libraries without an exploit, or self-XSS without a security impact.
- For DNS/email configuration, please be specific and provide headers or reproduction steps.
How to Report
Please submit security reports via our disclosure form or email us at security@javascripttoday.com. We'll review and respond as quickly as possible.