Security
Responsible Disclosure Policy
Effective date: 12 July 2026
StopBouncing takes the security of our service and our users’ data seriously. We welcome responsible disclosure of security vulnerabilities by security researchers and members of the public.
1. How to report a vulnerability
If you believe you have discovered a security vulnerability in StopBouncing, please report it to us by emailing:
Please include in your report:
- A clear description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue.
- The URL, endpoint, or component affected.
- Any proof-of-concept code, screenshots, or other supporting material.
- Your name or alias, if you would like acknowledgement.
2. What we ask of you
Please act responsibly by:
- Not accessing, modifying, or deleting data that does not belong to you.
- Not disrupting the availability of our service or infrastructure.
- Not performing social engineering, phishing, or physical security attacks against our team or infrastructure.
- Not disclosing the vulnerability publicly until we have had a reasonable opportunity to address it (see timeline below).
- Limiting your testing to accounts and data you own or have explicit permission to test.
3. What we commit to
- Acknowledgement: We will acknowledge receipt of your report within 3 business days.
- Assessment: We will assess the severity and scope of the vulnerability and keep you informed of our progress.
- Resolution: We aim to resolve critical vulnerabilities within 14 days and other vulnerabilities within 90 days, depending on complexity.
- Notification: We will notify you when the vulnerability has been fixed.
- No legal action: We will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy.
4. Scope
In scope:
- stopbouncing.com and all subdomains
- The StopBouncing REST API (api/v1/…)
- The dashboard and admin panel
- Authentication and session management
Out of scope:
- Denial-of-service attacks
- Spam or social engineering attacks
- Vulnerabilities in third-party services we use (report those to the respective vendor)
- Issues that require physical access to a user’s device
- Automated scanner output without demonstrated exploitability
5. Acknowledgements
We maintain a gratitude list for researchers who responsibly disclose valid vulnerabilities. If you would like to be credited, please include your preferred name or alias in your report. We do not currently offer a monetary bug bounty programme.
6. Contact
We respond to all security reports. If you do not receive an acknowledgement within 3 business days, please follow up as your email may not have reached us.