BRANDITSCAN V2 IS HERE FASTER SCANS SMARTER TAKEDOWNS NOW INCLUDES URLINKS PRO ALL-NEW PLATFORM BRANDITSCAN V2 IS HERE FASTER SCANS SMARTER TAKEDOWNS NOW INCLUDES URLINKS PRO ALL-NEW PLATFORM BRANDITSCAN V2 IS HERE FASTER SCANS SMARTER TAKEDOWNS NOW INCLUDES URLINKS PRO ALL-NEW PLATFORM
Security · Responsible Disclosure

Vulnerability Disclosure Policy

Creators trust BranditScan with their identity and their work, so we take every security report seriously. If you believe you have found a vulnerability, we want to hear from you — and we will work with you to get it fixed.

Report a vulnerability

Three ways to reach us

Pick whichever channel you already work in. Every report lands with the same security team and gets the same treatment.

Fastest
Email

Straight to the engineering team — no account needed.

dev@branditscan.com Use the subject "Vulnerability Report" so it gets triaged fastest.
HackerOne

Prefer working through a platform? We accept and triage reports submitted via HackerOne.

Submit through HackerOne
Bugcrowd

Also on Bugcrowd — submissions made there reach the same team with full tracking.

Submit through Bugcrowd

What to include in a report

Security research done in good faith makes every creator on BranditScan safer. To help us reproduce and fix the issue quickly, please include:

  1. A clear description of the vulnerability and the affected URL, endpoint, or feature.
  2. Step-by-step instructions or a proof of concept that reproduces the issue.
  3. Your assessment of the impact — what an attacker could realistically do with it.
  4. A way to reach you for follow-up questions (and the name we should credit, if you would like one).
Rules of engagement

Creator privacy is non-negotiable

Your research must respect the people this platform protects.

Do
  • Only test against accounts you own or have explicit permission to use
  • Access, view, or store the minimum data necessary to demonstrate the issue
  • Report promptly and keep details confidential until we have fixed the issue
  • Give us a reasonable time to remediate before any public disclosure
Don't
  • Access, modify, delete, or exfiltrate data belonging to other users or creators
  • Run destructive tests or intentionally disrupt the service
  • Demand payment for withholding disclosure — that is extortion, not research
Safe harbor

We will not pursue legal action against, or report to law enforcement, anyone who researches and reports vulnerabilities in good faith and in line with this policy — we consider such research authorized. If a third party takes legal action against you for activity conducted in accordance with this policy, we will make it known that your actions were authorized by us.

This policy may be updated from time to time as our security program evolves. Last updated July 2026.