Skip to main content

Vulnerability Disclosure Policy

Last updated: February 15, 2026

At GhostMyData, security is core to our mission. We welcome reports from security researchers who find vulnerabilities in our systems. This policy describes how to report issues and what you can expect from us.

Scope

In Scope

  • ghostmydata.com (main website and application)
  • app.ghostmydata.com (dashboard)
  • Public-facing API endpoints
  • Authentication and session management
  • Data encryption and storage
  • Access control and authorization

Out of Scope

  • Third-party services we use (Stripe, Vercel, etc.) — report to them directly
  • Non-production or staging environments
  • Issues already known or reported
  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing attempts
  • Physical attacks against our offices or data centers
  • Customer data (do not access, modify, or delete other users' data)

Researcher Guidelines

To qualify for safe harbor protection, researchers must:

  • Only test against accounts you own or have explicit permission to test
  • Make a good-faith effort to avoid privacy violations and data destruction
  • Stop testing and report immediately if you access user data
  • Not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Give us at least 90 days to remediate the issue before any public disclosure
  • Not use automated scanning tools that generate excessive traffic

Prohibited Actions

The following actions are strictly prohibited and will void safe harbor protection:

  • Accessing or attempting to access another user's data or account
  • Performing denial of service attacks
  • Brute-force attacks against authentication systems
  • Social engineering of our staff, contractors, or customers
  • Physical attacks or threats
  • Using automated vulnerability scanners that generate excessive traffic
  • Placing malware or backdoors on our systems
  • Exfiltrating data beyond the minimum needed to demonstrate the vulnerability
  • Publicly disclosing a vulnerability before we've had time to fix it

How to Report

Send vulnerability reports to:

security@ghostmydata.com

Please include:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URL(s) or endpoint(s)
  • Screenshots or proof-of-concept code (if applicable)
  • Your contact information for follow-up
  • Any suggested remediation

Our Response

1

Acknowledgment

We acknowledge your report within 5 business days.

2

Assessment

We validate and assess the vulnerability, typically within 10 business days.

3

Remediation

We aim to remediate confirmed vulnerabilities within 90 days. Critical severity issues are prioritized for faster resolution. We provide status updates at least every 14 days until the issue is resolved.

4

Disclosure

After the fix is deployed, we may publicly acknowledge your contribution (with your permission).

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA)
  • Exempt from DMCA restrictions on circumvention of technology controls
  • Lawful and conducted in good faith

We will not initiate legal action against researchers who follow this policy. If legal action is initiated by a third party against you for activities conducted under this policy, we will take steps to make it known that your actions were authorized.

Recognition

We do not currently offer a financial bug bounty program. However, we may provide:

  • Public acknowledgment on our security page (with your permission)
  • A letter of appreciation for your professional portfolio
  • Direct credit in any security advisory we publish

Contact

Security Reports: security@ghostmydata.com

General Security Questions: security@ghostmydata.com

security.txt: Our security.txt file is available at https://ghostmydata.com/.well-known/security.txt per RFC 9116.